Detects creation of Universal Data Link (UDL) files (.udl) on Windows endpoints, a technique often used in phishing to prompt a user to test a database connection and potentially exfiltrate credentials. The rule relies on endpoint telemetry (EDR) mapped to the CIM Endpoint.Filesystem data model, filtering for Sysmon-like events where file_name ends with .udl and action is created. It surfaces associated metadata such as destination host, file path, creation time, and the creating process path/ID, with data normalized to the Processes node for richer context. The rule includes drilldown capabilities to view results per user/destination and to inspect recent risk events, aiding incident investigation and response. Given legitimate admin or developer usage may create UDLs, it recommends whitelisting trusted activity to reduce false positives. References and related analytics are provided to contextualize the technique.