This detection rule monitors file activities in the \Temp\ScreenConnect\[version number]\ directory, specifically for XML files associated with the ConnectWise ScreenConnect application. Following a critical authentication bypass vulnerability disclosed by ConnectWise for versions prior to 23.9.8, it is crucial to track any changes to these XML files as they may pose security risks. To utilize this detection, organizations must ensure that the Advanced Auditing policy is configured to log successful Windows Event ID 4663 events, allowing for detailed tracking of file access and modifications. Additionally, implementing a System Access Control List (SACL) on the target directory will enhance monitoring capabilities. This rule provides visibility into potential malicious activities attempting to exploit the vulnerability, helping organizations safeguard their systems effectively.