This detection rule is designed to identify the use of the Windows network shell utility (netsh.exe) to modify the Windows Firewall settings to allow inbound Remote Desktop Protocol (RDP) connections. The rule applies specifically to Windows operating systems and collects data from multiple indexes including Winlogbeat, logs from endpoint processes, and M365 Defender, among others. By monitoring the invocation of netsh.exe with certain arguments indicative of allowing RDP, this rule aims to prevent unauthorized access via RDP, which is a common attack vector used by threat actors, including ransomware operators. Upon detection, it recommends investigation steps such as identifying the user responsible for the action, verifying if RDP should be enabled on the host in question, and examining related alerts to assess whether further action is necessary.