This rule detects unusual spikes in process initiation during Remote Desktop Protocol (RDP) sessions using machine learning techniques. By monitoring process activity, the rule aims to identify potential lateral movement attempts by adversaries, as executing numerous processes remotely can indicate malicious behavior. The rule is part of the Lateral Movement Detection integration, which leverages Elastic's Anomaly Detection feature to flag activities that exceed a specified anomaly threshold of 70%. The rule operates over a 15-minute interval, analyzing data from the last 12 hours, and it is designed to effectively safeguard against lateral movement attacks. It has specific setup requirements, including the installation of the Lateral Movement Detection integration and the collection of RDP process events via the Elastic Defend integration. In case of detections, the investigation guide suggests various steps for analysis and remediation, highlighting the need to discern between genuine administrative activity and potentially malicious actions that could signify the exploitation of systems.