This analytic rule monitors for significant spikes in Server Message Block (SMB) traffic, utilizing the Machine Learning Toolkit (MLTK) to identify anomalies within network traffic. The rule specifically examines connections on ports 139 and 445 to detect sudden increases in SMB connections, which may indicate lateral movement by attackers or data exfiltration attempts. The underlying search leverages the Network_Traffic data model to aggregate and analyze connections in one-hour intervals, applying a machine learning model to identify outlier behaviors based on historical traffic patterns. If confirmed, these anomalies could signal security breaches leading to unauthorized access or data theft, necessitating timely investigation. Proper implementation requires verifying the presence of DNS data in the Network_Traffic data model and running associated baseline searches to ensure accurate model training.