This rule is designed to detect potential lateral movement activity within a network, specifically over the Server Message Block (SMB) protocol, which is commonly used for file sharing and network communications in Windows environments. Adversaries often use SMB to move laterally after gaining initial access to systems, allowing them to either deploy malware or gather sensitive information. The rule captures events from Windows Sysmon where connections are made to the SMB port (445) from internal sources, filtering out local and reserved IP addresses. The detection logic also limits the analysis to identify anomalous patterns of communications, such as infrequent destination connections or unusual process calls (e.g., PowerShell or cmd). This aids in surfacing potential cross-system interactions that deviate from normal behavior, indicative of malicious intent, considering threat actor groups known for using these methods, like FIN8 or Lazarus. The rule is crucial for monitoring lateral movement as it combines event statistics to create a more granular view of network interactions among hosts, ensuring that genuine threats are promptly identified and alerted upon.