This rule uses machine learning to detect anomalous behavior related to the volume of data being written to external devices within a specified timeframe. Typically, writing to external devices follows a predictable pattern, and deviations from this pattern can indicate potential data exfiltration activities. The specific trigger for the rule is based on a significant spike in bytes written which surpasses a defined anomaly threshold of 75. The detection focuses on identifying metrics related to the behavior of data transfers to external devices, flagging any significant departures from the norm as potential threats. The rule operates by analyzing network and file events, requiring installations of the Data Exfiltration Detection integration alongside secured telemetry from Elastic Defend or similar tools. Should an alert be triggered, suggested investigative actions include reviewing the specific external device involved, correlating user activity logs, and examining historical transfer patterns to assess the legitimacy of the data movement.