This detection rule monitors Windows RDP client connection sequence events identified by EventCode 1024 from the Microsoft-Windows-TerminalServices-RDPClient/Operational log. It aims to track when the RDP ClientActiveX initiates connections to remote servers. This phase is crucial as it involves the exchange of settings between the client and server, establishing the parameters for a remote session. By analyzing these events, it is possible to identify abnormal RDP connection patterns which may signify lateral movement threats, unauthorized access attempts, or connection sequences indicative of compromised systems. The analytic is designed for Multi-Line format due to parsing limitations with XML. To implement this detection, ensure deployment of logging for the relevant operational logs in Windows, and fine-tune your environment to minimize false positives by establishing a baseline of normal RDP activities and whitelisting known connections.