This rule detects when a real-time response session initiated through the Crowdstrike API is started or not started. It focuses on events related to external API interactions that utilize Crowdstrike's RTR capability, specifically targeting sessions that enable remote command execution on a machine. The detection operates by monitoring two key events—Session Start and Session End—both generated by the external API (ExternalApiEvent) within the Crowdstrike platform. The rule includes tests to validate the events and logs generated to confirm whether an RT Session has started or not. Each test checks the presence of expected payload parameters, such as session IDs, timestamps, and user identifiers, ensuring accurate monitoring of unauthorized access or activity. The severity level of alerts generated by this rule is classified as Medium, indicating a need for further investigation but not necessarily an immediate threat. In the event of a detected session, the effective response is to validate the context and legitimacy of the action initiated by the user identified in the logs.