This analytic rule detects unusual NTLM authentication attempts on Windows devices, specifically when multiple attempts are made from non-domain devices to a domain-joined Windows device. This behavior typically indicates potential brute force attacks, password spraying, or unauthorized access attempts. The detection leverages EventID 8004 from the NTLM Operational logs, filtering out self-authentications to focus on 'external' access attempts. It calculates unique user counts and identifies outlier behavior based on statistical thresholds, flagging authentication sequences that exceed the norm. The rule enhances monitoring of NTLM usage and assists security teams in identifying potential security incidents related to unauthorized access attempts.