This detection rule identifies anomalous Remote Desktop Protocol (RDP) traffic occurring on TCP port 3389. The analytic filters out known legitimate RDP source and destination addresses to focus on atypical connections that could indicate unauthorized access attempts. Given the potential for significant security breaches through unauthorized RDP access, monitoring such traffic is crucial for security operations teams. The rule is implemented using a search that extracts relevant network traffic data, counts instances of atypical connections, and derives time metrics for the detected events. It is essential to classify known RDP systems to avoid false positives and effectively trigger alerts for genuine threats.