This detection rule identifies potentially malicious usage of Remote Procedure Call (RPC) traffic directed towards the Internet. RPC is a protocol that allows for remote management and access to shared resources, making it essential for system administration. However, it poses significant security risks when exposed externally, often serving as entry points for threat actors. The rule monitors network events, looking specifically at TCP traffic on designated ports (notably port 135) from internal IP addresses towards the Internet, thus flagging these activities for further investigation. If RPC traffic appears to be targeting external IP addresses that are not meant to receive such data, it may indicate an attack or breach, warranting immediate scrutiny and potential incident response. The rule is built around a specific query against logging indices designed to track this anomalous network behavior, with a high-risk score indicating the potential severity of such events. It includes steps for investigation, false positive analysis, and response protocols to mitigate risks associated with unauthorized RPC traffic exposure.