This detection rule utilizes a machine learning job to monitor and identify abnormal spikes in the amount of data written to external devices via Airdrop on Apple devices. Typically, data transfers to external devices exhibit predictable patterns. A significant deviation, characterized by high bytes written, can be indicative of unauthorized data exfiltration attempts. The rule is triggered when the written data volume exceeds established thresholds, thus alerting security teams to potential illicit activities. The integration necessitates the Data Exfiltration Detection setup, requiring network and file events collected through integrations like Elastic Defend and Network Packet Capture. Investigative steps include analyzing user behavior, monitoring the destination device, and ensuring data transfers remain within normal operational patterns. The rule is particularly tuned to detect threats where large volumes of data are inappropriately sent, facilitating early detection of potential breaches.