The 'RDP Logon_Logoff Event' rule is designed to monitor and detect remote desktop protocol (RDP) logon and logoff events within Windows environments. The detection focuses on specific Windows Event Codes, specifically 4778, which indicates that a user has logged on to a remote system, and 4779, indicating that a user has logged off. By querying these events, security analysts can identify potential unauthorized access or malicious activity conducted by threat actors during the RDP sessions. The rule also correlates logged events with known threat actors and ransomware families to provide context on the potential severity and relevance of the detected activity, particularly for lateral movement and initial access techniques associated with remote services. The rule employs Splunk logic to gather endpoint data, focusing on event time, host, user, and relevant metadata to ensure comprehensive visibility and analysis of RDP events.