This rule is designed to detect potential data exfiltration attempts that involve large data transfers over the network, specifically targeting actions associated with the threat actor FIN8, also known as Syssphinx. The detection logic utilizes network data logs, filtering for allowed actions where the destination IP address does not match common private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). It calculates the amount of outbound data in megabytes (MB) and triggers an alert when the transfer exceeds 20 MB. Further processing includes grouping the data into 1-hour bins and checking if total outbound data exceeds 5 GB, allowing for additional contextual analysis such as user, host, destination IP, and other related fields. The detection is geared towards identifying suspicious patterns in network activity that may indicate data theft or unauthorized transfer activities.