This detection rule is designed to monitor Windows hosts for the initiation of remote sessions using TeamViewer, a popular remote access tool. The rule specifically focuses on the command line invocation of the TeamViewer Desktop executable, 'TeamViewer_Desktop.exe', which should be launched by the TeamViewer service ('TeamViewer_Service.exe'). A session is considered suspicious if it executes with specific parameters that indicate an incoming connection. Upon triggering, the investigator can verify session details through the 'incoming_connections.txt' log located in the TeamViewer application directory. This rule aims to enhance security visibility regarding external remote access, allowing for timely investigation of potentially unauthorized connections.