This detection rule identifies potentially dangerous connections to Remote Desktop Protocol (RDP) services that are accessible from public IP addresses. The presence of an RDP listener that can accept connections from routable IP addresses may indicate that the service is unintentionally exposed to the internet, significantly increasing the risk of unauthorized access or brute force attacks. The rule uses a combination of connection data from the Zeek monitoring system, focusing on filtering out local and reserved IPs that should not be accessing the RDP service. If any connections are detected that do not match these exceptions, the rule triggers an alert indicating that a publicly accessible RDP service has been identified. This is crucial for mitigating the risks associated with lateral movement attacks, as attackers often exploit publicly exposed services to gain further access to victim networks.