This analytic rule is designed to detect significant amounts of ICMP traffic directed towards external IP addresses, specifically targeting packets with a total byte count exceeding 1,000 bytes. By utilizing the Network_Traffic data model, the rule captures variations in both inbound and outbound ICMP traffic to identify patterns that may indicate potential security threats, such as covert communications, information smuggling, or Command and Control (C2) activities. The analytic filters traffic to exclude internal IP ranges, thus focusing on potentially malicious activity with external endpoints. If validated as a threat, such patterns may signify ICMP tunneling or unauthorized data transfers, prompting immediate investigation. The implementation relies on proper ingestion of Palo Alto traffic logs into Splunk, ensuring that they are aligned with the Common Information Model (CIM) for effective data analysis. Those investigating the flags raised by this rule should be aware of possible false positives due to legitimate uses of ICMP, and adjustment of thresholds may be necessary to fine-tune the detection accuracy.