The detection rule 'Failed Logon From Public IP' aims to identify instances of failed login attempts that originate from public IP addresses. Such attempts can signify potential misconfigurations in firewalls or network boundaries, making this an important rule for monitoring unauthorized access attempts. The rule primarily uses Security Event ID 4625, which corresponds to failed logon attempts in Windows environments. To distinguish between legitimate and potentially malicious attempts, the detection utilizes various filters: it eliminates any IP addresses that are known to be part of reserved private ranges and addresses that lack valid IP formatting (e.g., containing '-') or fall within specified CIDR ranges (related to private network addresses). Despite its configuration, false positives may arise from legitimate internet logins or the use of IPv4-to-IPv6 mapped addresses. The rule is particularly relevant to organizations looking to tighten their security measures against initial access and persistence attacks, as indicated by its associated MITRE ATT&CK tags.