Helpdesk admin connecting form their workstation to another users workstation via RDP
The direction is important here, the Helpdesk admin connecting from a workstation that isn’t theirs is suspicious
Management sever connecting to systems to update software or backup data
Legitimate IT system management tools often get flagged for suspicious activity such as remote file copying.
Admin has created a network share to access files from multiple users in the network
IT and application admins often need to move data around a network and may setup a network share to do so.