This rule identifies suspicious remote authentication attempts leveraging Windows Event ID 4624, which logs successful account logons. It focuses on unusual behavior patterns by applying statistical analysis, specifically the 3-sigma rule, to detect deviations from normal authentication activities across the network. The primary goal is to highlight scenarios where multiple authentication attempts are made from a single source address, which may indicate potential security risks such as lateral movement, malware preparation, or initial reconnaissance by attackers. If such behavior is confirmed as malicious, it could enable unauthorized lateral movements within the network, privilege escalation, or the gathering of sensitive information for subsequent attacks. The rule is particularly useful for Security Operations Centers (SOCs) to focus on potentially harmful activities that deviate from established baselines.