This rule aims to detect potential data exfiltration activities to unusual destination ports by leveraging machine learning techniques. It focuses on identifying data transfer patterns that deviate from standard traffic behaviors, which may indicate malicious actions, such as exfiltration over command and control (C2) channels. The implemented machine learning job, identified as 'ded_high_sent_bytes_destination_port', analyzes network events collected through integrations like Elastic Defend and Network Packet Capture. The rule operates with a detection threshold set at 75, aiming to highlight significant anomalies. When unusual traffic is detected, the setup requires that the Data Exfiltration Detection integration is installed and that relevant network and file event logs are collected. Additionally, investigators are guided through possible steps to analyze alerts, check for false positives associated with legitimate services, and respond effectively to any detected threats. By integrating threat intelligence referencing MITRE techniques, this rule enhances the organization's defensive posture against potential data theft, supporting timely detection and remediation efforts.