Detects creation of potentially suspicious files by OpenEDR's ITSMService.exe. The rule triggers when the ITSMService process image ends with \\COMODO\\Endpoint Manager\\ITSMService.exe and a new file is created with a high-risk extension (e.g., .7z, .bat, .cmd, .com, .dll, .exe, .hta, .js, .pif, .ps1, .rar, .scr, .vbe, .vbs, .zip). This combination reduces false positives to events where OpenEDR's remote management tool writes executables or scripts to disk, which could indicate unauthorized file uploads, data staging, or deployment via the ITSM workflow. The rule aligns with MITRE techniques T1105 (Ingress Tool Transfer), T1570 (Lateral Movement), and T1219 (Remote File Copy).