This analytic rule is designed to detect local successful authentication events on Windows devices using the Kerberos authentication protocol. Specifically, it identifies the EventCode 4624 where LogonType is set to 3 and the source address is 127.0.0.1, indicating that the built-in local Administrator account has been used for authentication. Such events are crucial as they can signify possible Kerberos relay attacks, where attackers exploit the authentication process to escalate privileges illegitimately. If an attacker gains access through this method, they could potentially execute arbitrary code, create new Active Directory accounts, or gain unauthorized access to sensitive systems, thereby compromising the integrity of the system. To implement this rule effectively, it is important to ensure that Windows Security Event Logs, particularly EventCode 4624, are being ingested and that appropriate filtering is in place to identify genuine threats while minimizing false positives. Additionally, drilldown searches are provided to examine further the associated detection results and past risk events.