This experimental OpenCanary rule detects RDP connection attempts to an OpenCanary node. It monitors the OpenCanary application logs (logtype 14001) and raises an alert on any new RDP connection event. The rule is designed as an early-warning signal for potential probing, unauthorized access attempts, or exploit attempts targeting a honeypot service. It aligns with ATT&CK techniques for Initial Access (T1133) and Lateral Movement (T1021.001) as indicated by its tags. False positives are labeled as unlikely, reflecting the honeypot context where legitimate RDP access to a decoy service is rare. The rule’s status is experimental, suggesting it should be evaluated in test environments before deployment in production. Detection context: OpenCanary honeypot, RDP service, logs are generated by the opencanary logger. The rule triggers on the presence of log entries of the specified logtype, serving as a straightforward indicator of someone attempting to connect to the decoy RDP service, which can help identify automated scanning or targeted exploitation attempts early in the attack lifecycle.