This detection rule, authored by Elastic, is designed to identify potential relay attacks against a domain controller (DC). Relay attacks can occur when an attacker captures DC credentials, especially NTLM hashes, leveraging forced authentication to gain unauthorized access through the DC. The rule analyzes authentication events on Windows systems, specifically focusing on those involving machine accounts (which typically end with a dollar sign) that log authentication attempts from unexpected sources. Key criteria include checking the event codes (4624 for successful logins and 4625 for failed login attempts), ensuring the source IP does not match the expected host's IP, and monitoring for the NTLM authentication package. The rule aims to flag anomalies indicating a potential relay attack by examining the nature of the authentication requests and their origins, providing insight into possible unauthorized access attempts. Additional guidance is provided for investigating potential alerts and responding to near misses, alongside strategies to mitigate false positives and improve detection efficacy.