This detection rule identifies when a user downloads a significant number of files (10 or more) from a Slack channel within a short period (60 minutes). The rationale behind this rule is grounded in the observed behavior of certain threat groups, notably LAPSUS$, who have exploited such situations to harvest sensitive information. The rule utilizes Splunk querying capabilities to track file download events by using the `get_application_data` function to capture relevant data such as timestamps, host information, user details, actions performed, resultant file objects, and associated process details. The core logic involves grouping these events by user activity, establishing a count of file downloads, and filtering to highlight instances where the download threshold meets or exceeds the specified limit. By monitoring this behavior, organizations can detect potential data exfiltration attempts and respond accordingly.