This detection rule identifies RDP (Remote Desktop Protocol) connections initiated from the Internet, which pose significant security risks due to their propensity for exploitation by threat actors seeking unauthorized access. RDP serves as a vital tool for system maintenance by administrators, yet exposing it directly to the Internet is rarely advisable as attackers often leverage it as an entry point for intrusions or to establish backdoors. This rule operates by monitoring TCP traffic specifically on port 3389, key to RDP functionality, flagging any suspicious external connections that may indicate a security threat. The rule takes into account a variety of internal IP address ranges that typically don't warrant exposure to the public Internet, effectively filtering out benign traffic originating from these protected networks. It also includes an analysis guideline to examine potential false positives arising from legitimate use cases like internal maintenance activities or trusted third-party access. The overall goal of this rule is to promptly identify and mitigate unauthorized connections to RDP services, enhancing overall network security.