This detection rule, authored by Elastic, is designed to monitor network events that may indicate the use of Remote Desktop Protocol (RDP) traffic directed towards the Internet. RDP, a tool commonly utilized by system administrators for remote management and shared resource access, poses significant security risks when exposed to the Internet, as it is a frequent target for attackers aiming to gain initial access or establish backdoors on systems. The rule looks for TCP network events where the destination port is 3389, indicative of RDP traffic, while filtering to ensure that the source IPs are from private address ranges and that the destination IPs are not reserved for private use or multicast addresses. This helps in reducing false positives, particularly in scenarios where RDP connections are legitimate, such as specified engineering workflows or management of cloud services. The rule carries a low severity and a risk score of 21, reflecting the relatively lower risk associated with RDP traffic, though caution is advised with any unexpected usage.