This rule detects potential data exfiltration activities in an Office 365 environment by monitoring file access patterns. Specifically, it identifies when a user accesses an excessive number of files in a short timeframe. The concern arises when such activity is performed via the 'open in app' functionality of SharePoint, often abused by attackers using scripted methods or Graph API access to bypass standard detection mechanisms like the FileDownloaded Event. These behaviors may indicate intent to stage data for exfiltration or insider threats leaking sensitive organizational information. The rule includes additional scrutiny for Azure Guest accounts that may represent risks. The event logic uses Splunk's search capabilities to track and analyze file access incidents, with configurable thresholds for abnormal behavior detection.