This detection rule monitors for successful Remote Desktop Protocol (RDP) connections by tracking Event Code 1149 in the Windows TerminalServices RemoteConnectionManager Operational log. Successful RDP connections can signify that an attacker is remotely accessing a system, potentially leading to unauthorized access, data exfiltration, or lateral movement within the network. Detecting such connections is essential for early identification of potential security breaches. The analytic utilizes Splunk to parse relevant logs, providing statistics on the frequency and timing of RDP connections by user and destination. Organizations are advised to implement this detection if they rely on RDP for legitimate administrative tasks, ensuring that any unauthorized access can be swiftly caught and mitigated.