This detection rule identifies HTTP requests directed at domains with low reputation top-level domains (TLDs) or requests that contain suspicious file extensions, which are often associated with malicious activities. The rule focuses on TLDs such as .xyz, .top, and .ru, which have been recognized for their association with online threats. Additionally, it flags requests for file types commonly used in exploits or malware, such as .exe, .dll, and .hta. The rule utilizes log data from the Zeek HTTP service, leveraging specific criteria to detect requests that either come from low-reputation TLDs or have a file extension that matches a known list of potentially harmful types. If either condition is met, an alert is triggered, helping security teams to monitor and respond to possible initial access attempts or command-and-control communications. This proactive approach to threat detection aims to mitigate risks associated with low-quality domains and executable files, contributing to an organization's overall security posture.