This detection rule aims to identify potential relay attacks against machine accounts in Windows environments, specifically targeting SMB (Server Message Block) connections. Known as a SMB relay attack, this is a method used by attackers to exploit the authentication process by intercepting communications between clients and servers, impersonating the victim, and gaining unauthorized access. The rule monitors logs for specific event codes that correspond to network share access, particularly events (event.code "5145") originating from a remote source IP while utilizing a machine account (user.name ending with a '$'). It is crucial to note that local access is explicitly excluded to avoid false positives caused by legitimate internal traffic. Key investigation steps suggested include validating the source IP against expected remote machine account usage, examining associated security logs, and scrutinizing logon types and activities for anomalies. The rule takes a proactive approach by alerting security teams to potential unauthorized access, fostering timely investigation and response to potential threats.