This detection rule monitors for the establishment of Remote Desktop Protocol (RDP) network connections through specific Event Codes. It targets instances where either an RDP session is initiated or data is transmitted over RDP ports (commonly port 3389). The logic leverages Sysmon event data to identify these connections, capturing the relevant attributes like user information, timestamps, source and destination details. By focusing on RDP connections, the rule helps in identifying potential lateral movement or initial access attempts by threat actors, such as APT groups affiliated with ransomware and other malicious actors. The use of statistical aggregation and string matching on port numbers ensures that no suspicious activity goes unnoticed, consolidating necessary details into a clear output table for analysis. Additionally, it aligns with established techniques for lateral movement and initial access as defined in MITRE ATT&CK, emphasizing the importance of monitoring RDP for security postures.