The rule identifies potentially suspicious processes that are either untrusted executables or living-off-the-land binaries (LOLBins) making Server Message Block (SMB) network connections over port 445. This is important as legitimate connections for Windows File Sharing generally originate from the kernel process with PID 4. The detection focuses on instances where non-system processes attempt to initiate SMB connections, which could indicate malicious activity such as lateral movement within the network, exploitation attempts, or scanning behaviors. The rule employs a sequence detection approach in EQL (Elastic Query Language) to capture process starts and their associated network connections over port 445, while filtering out known trusted processes, thereby honing in on potentially harmful activity. It also suggests investigation steps for analyzing unusual process behaviors and outlines a response plan if an incident is identified, emphasizing the need for careful review of account activity and network communications as well as malware presence.