This detection rule targets the identification of compressed file requests in network traffic, which can indicate potential data exfiltration attempts by adversaries. Such behavior is often observable when an attacker compresses files prior to exfiltration to reduce the volume of data transferred and may also include encryption to obfuscate the content. The rule utilizes characteristics from common file extensions associated with various compression formats (like .zip, .tar, .rar, etc.) to identify relevant HTTP/S requests. It employs an extensive list of regex patterns within its query to filter network traffic logs and extract relevant records, which are then processed to present insightful data such as client IP addresses and associated metadata. Additionally, the rule incorporates techniques to anonymize certain data through lookup tables and IP location services, making it useful for monitoring and investigating suspicious outbound traffic implications. By focusing on the collected data from network devices, this rule aids in the proactive detection of potential threats, aligning with the behavior of known threat actor groups such as Earth Estries.