This detection rule identifies logon events on Windows systems where new credentials are being used for authentication. It specifically looks for events logged with Event ID 4624 associated with Logon Type 9, which indicates a logon using new credentials, often seen in authorized remote access scenarios such as when users connect via Remote Desktop Protocol (RDP) or during administrative tasks. The focus is on detecting potentially unauthorized access attempts where users might employ stolen credentials to gain access to systems. The rule is designed to provide early warnings of suspicious logon behavior that could indicate lateral movement within a network. Given the nature of the logs being monitored, this rule can help security teams proactively investigate unexpected logon activities that deviate from normal behavior patterns.