This rule will alert you when a local admin account is used to remotely access a computer. The rule includes Remote as well as the network logon type. How often do you remotely connect to a computer with a local account? Probably not very often, if ever. The best part of this rule is that for most organizations the false positive rate is very low. The key to this rule is the group that you use for the UserLogon.DestinationAccount. Most organizations rename the local admin account and set the password for all computers as the same for that account. This can be used by an adversary to move through your environment without using AD accounts. Add the local admin account name, plus any other local account names to the group, in this example called 'Admin Accounts'.
This is a key indicator for lateral movement after a threat is in your environment, and can help you track down a threat that is using local accounts. I set this up as an email alert, but did not include that in the export as I'm not sure if it would save our email accounts that get sent the alert. I use this on the desktops as well as servers.
