This detection rule targets NTLM brute force attacks by identifying specific device names commonly used in such attacks. It monitors Windows systems for Event ID 8004 from the NTLM service, which logs events related to authentication requests. The rule analyzes the 'WorkstationName' field to flag certain names typically associated with brute force attempts, including 'Rdesktop', 'Remmina', 'Freerdp', and various Windows versions (7, 8, 2012, 2016, and 2019). If both the event selection criteria and the suspicious device names are matched, the rule triggers an alert. This detection helps organizations to identify potential unauthorized access attempts leveraging NTLM authentication, thus mitigating risks associated with credential abuse.