This detection rule monitors for abnormal patterns of file copying or moving activities across network shares, specifically designed to identify potential data exfiltration or sabotage incidents. The analytic utilizes Windows Security Event Logs, focused on EventCode 5145, to track access to various file types commonly associated with sensitive data. This is particularly relevant within enterprise environments where insider threats or malicious activities might target internal files. By applying statistical analysis over a defined time span, the rule identifies unusual spikes in copying activities, flagging them for further investigation. Confirmed malicious behaviors could lead to unauthorized data access or loss, thus necessitating timely response actions.