This detection rule aims to identify instances where a vulnerable Netlogon secure channel connection is permitted, potentially exposing systems to exploitation through CVE-2020-1472. The Netlogon protocol, which authenticates users and devices in a Windows domain, has a known vulnerability that allows for privilege escalation if an attacker can establish a connection. The rule monitors Windows event log entries associated with Event ID 5829 from the NetLogon provider, signaling that such a connection has occurred. As this vulnerability can enable attackers to take over domain controllers and create malicious accounts, the detection of this event is crucial for mitigating risks associated with privilege escalation attacks. Appropriate response measures should be enacted upon detection, especially considering the significant impact this vulnerability can have on an organization's security posture.