The detection rule 'High Variance in RDP Session Duration' employs machine learning to identify unusual fluctuations in Remote Desktop Protocol (RDP) session durations within a specified time frame (the last 12 hours). RDP is a widely used protocol for remote access, which can be exploited by adversaries to establish persistent access once they compromise a target. By setting a variance threshold (70), the rule detects significant deviations from expected session lengths, which may indicate malicious activities such as lateral movement. The rule integrates with the Lateral Movement Detection and Elastic Defend integrations, requiring the collection of specific file and RDP process events. It operates on a 15-minute interval, producing alerts if it identifies sessions with unusually high variance. The rule is classified with low severity and a risk score of 21, allowing security teams to prioritize and investigate incidents potentially indicative of compromise. It includes detailed guidance on potential investigation avenues, as well as recommended response and remediation actions to mitigate any identified threats, including isolation of affected systems and forensic analysis.