This anomaly detection rule identifies potential lateral movement activities on endpoints by monitoring unusual remote file transfers involving rare file extensions. By leveraging Elastic’s machine learning capabilities, the rule sets a high anomaly threshold of 70 to effectively flag instances where unusual file types are transferred remotely, which are often indicative of malicious activity. The detection mechanism requires the Lateral Movement Detection integration, capturing relevant file and Windows RDP process events. The investigation guides provided within the rule allow security analysts to respond to alerts efficiently, identifying potential threats while minimizing false positive risks through thorough investigation and threat intelligence correlation. Key investigation steps include reviewing transferred file details, examining historical usage patterns for extensions, and assessing source and destination hosts for signs of compromise. The setup requirements detail the necessary integrations and configurations to ensure the detection rule operates effectively within the Elastic environment.