This detection rule aims to identify suspicious access to sensitive file extensions on network shares, which can indicate potential malicious activity or data exfiltration attempts. The rule focuses on EventID 5145, which is generated during file access events on Windows systems. It specifically looks for attempts to access files with known sensitive extensions, including .bak, .dmp, .edb, .kirbi, .msg, .nsf, .nst, .oab, .ost, .pst, .rdp, and a specific configuration file (\groups.xml). The detection logic is straightforward: if the EventID matches and the target file name ends with any of the specified extensions, an alert is triggered. This rule is essential for monitoring potential data theft and ensuring data security by scrutinizing access to sensitive files. It is set to a medium severity level and recognizes specific false positive scenarios, such as legitimate help desk operations or users working with sensitive data types that may trigger the rule in a normal operational context.