The rule is designed to detect anomalies in Remote Desktop Protocol (RDP) activity, specifically focusing on a sudden spike in the number of connections made from a single source IP to multiple destination IPs. High numbers of RDP connections can signal an attacker attempting to move laterally across a network after gaining initial access to a host. By leveraging machine learning, this rule identifies unusual patterns that may indicate unauthorized access attempts, helping security teams to respond proactively to potential threats. The rule requires the installation of the Lateral Movement Detection integration and the collection of Windows RDP process events to function effectively. Investigative steps include reviewing source and destination IPs, analyzing connection timestamps, and correlating spikes with other network activity to distinguish legitimate administrative tasks from possible malicious actions. It also provides guidance on handling false positives, which can occur due to normal administrative activity or network management tools. The rule emphasizes the need for rapid response tactics in case of confirmed unauthorized access, including isolating affected systems and reviewing potential compromises. Overall, this rule forms a crucial part of a defense-in-depth strategy against lateral movement attacks in IT environments.