This detection rule identifies network traffic utilizing cleartext protocols that may expose sensitive authentication information. It specifically targets legacy protocols on common ports: Telnet (port 23), POP3 (port 110), IMAP (port 143), and non-anonymous FTP (port 21). The detection employs the Network_Traffic data model to analyze TCP traffic directed at these ports. The significance of monitoring this activity lies in the high risk of credential interception, which can lead to unauthorized system access and potential data breaches. The rule's logic accounts for network traffic actions, excluding blocked ones, to ensure that only relevant data is scrutinized. Integration of the search query linked to the detection requires the ingestion of network traffic data and proper mapping in the Network_Traffic data model. This detection is particularly crucial in environments where sensitive information is transmitted over less secure protocols. Confirmation of malicious activity must be followed by remediation to defend against potential exploits.