This detection rule identifies instances of suspicious network connections associated with Mega cloud storage services on Windows systems. It focuses on the MEGAsync.exe and MegaCMD applications, which threat actors may utilize for data exfiltration due to Mega's end-to-end encryption and partially anonymous payment options. The rule leverages the Windows Event Log to monitor connections, especially Event Code 5156, which logs successful connection events. When these applications are detected making network connections either to mega.co.nz or mega.nz, an alert will be triggered, allowing security teams to investigate potential data breaches or unauthorized data transfers. Additionally, it aggregates and presents the relevant event attributes, including timestamps, host information, user accounts involved, and associated processes, providing a comprehensive view of the potential threat activity related to Mega services.