This detection rule identifies outbound network connections initiated by 'cmstp.exe', a legitimate Windows process associated with connection manager profiles. It is uncommon for this executable to initiate such connections, which raises the potential for malicious activity, including exploitation techniques or unauthorized data exfiltration. The rule leverages specific attributes of network connections, focusing on those cases where 'cmstp.exe' is involved. The correlation condition specified in the rule filters out local ranges to minimize false positives, providing a more precise identification of threats. Security analysts should investigate any triggering events to understand the context and origin of the outbound requests, separating benign use from malicious intent.