This analytic detects anomalous outbound Server Message Block (SMB) traffic originating from internal hosts to external servers, monitoring for any SMB requests directed towards the Internet. Such behavior is not typical for regular operations within an internal network. The detection aims to identify potential attempts by attackers to exfiltrate data or retrieve credential hashes, which is often a precursor to escalating privileges or lateral movement within a network. If these outbound SMB connections are confirmed malicious, they can pose a significant threat, potentially leading to unauthorized access to sensitive data and compromising entire systems. This rule underscores the importance of monitoring network traffic to catch and assess unusual outbound SMB activity, which could indicate an ongoing security breach or compromise.