The 'High Mean of RDP Session Duration' detection rule utilizes machine learning to monitor and identify anomalies in the duration of Remote Desktop Protocol (RDP) sessions. Detected sessions that are unusually lengthy may signal potential adversarial behaviors such as lateral movement within a network. Long RDP sessions serve as an avenue for malicious actors to maintain persistent access to compromised systems, thereby evading traditional detection tools. This rule functions by analyzing RDP session durations over a specified time window and employs an anomaly threshold of 70 to distinguish between normal and suspicious session lengths. It is part of the Lateral Movement Detection integration powered by Elastic's fleet framework, which requires appropriate integration setup. The rule aims to enhance security in environments where RDP is used, thereby mitigating risks associated with unauthorized access and potential lateral movement activities. Investigations following detection alerts involve vetting session details, correlating user activity, and assessing associated IP addresses to identify any malicious intents or patterns.