The detection rule titled 'Windows Default RDP File Creation By Non MSTSC Process' aims to identify anomalous file operations involving the Default.rdp file, which is typically managed by the Remote Desktop Connection (RDP) client, mstsc.exe. This file usually resides in the user's Documents folder and stores essential RDP connection details such as hostname and preferences. The rule triggers an alert when the Default.rdp file is created or modified by any process other than mstsc.exe, as this behavior may indicate unauthorized remote access attempts or potential lateral movement by attackers. The detection utilizes Sysmon events (EventID 1 and EventID 11) to monitor process activities and file modifications. It executes a Splunk query designed to highlight instances of this anomalous activity within a specified timeframe, combining process data with filesystem changes and effective filtering. An implementation of this detection requires proper configuration of endpoint data ingestion and ensures the latest Common Information Model (CIM) is utilized. The rule has known false positives, which could occur due to legitimate processes manipulating the Default.rdp file; thus, filtering or restricting alerts to critical systems is advisable. This rule is significant for security operations and incident response teams looking to enhance detection capabilities for unauthorized remote access operations.