The RDP Brute-force Detection rule monitors for unauthorized access attempts on Windows Remote Desktop Protocol (RDP). It identifies potential brute-force attacks by analyzing Windows event logs, specifically Event IDs 5156 (for allowing connections) and 4625 (indicating failed logon attempts). The rule filters for inbound traffic on port 3389, which is the standard port for RDP. Any numerous failed logins (more than three) that receive an 'Unknown user name or bad password' response are flagged as a potential brute-force attack. The results, along with additional contextual information such as source country and IP addresses, are aggregated and presented for further investigation. The detection techniques align with known adversarial tactics, including credential access through brute force attacks and exploiting external remote services to gain access. The data source for this rule is Windows event logs, which provide the necessary event data for evaluating authentication attempts.