This analytic rule detects suspicious file downloads executed by the Telegram application on Windows systems using Sysmon's EventCode 15. It focuses on instances where 'telegram.exe' generates files classified with a Zone.Identifier, which signifies that a download has taken place. The presence of this identifier often signifies potentially malicious behavior, as adversaries might exploit Telegram to transfer harmful tools such as network scanners and other malicious software. If such activity is confirmed as malicious, it may enable attackers to perform network mapping, lateral movements, and potentially compromise additional systems within the network. This rule is particularly relevant in environments where Telegram is not a commonly used application, casting a spotlight on unusual behaviors during file downloads that could otherwise go unnoticed.