This experimental rule detects potential data exfiltration via bulk Dropbox downloads by monitoring Dropbox.TeamEvent file_download events. It triggers when a single actor downloads more than 10 distinct files within 60 minutes (threshold 11). The rule relies on the Cloud Service data source (Dropbox.TeamEvent) and targets cloud-based file activity. It is disabled by default and marked Experimental; deduplication is applied over a 60-minute period to reduce noise. It maps to MITRE ATT&CK Exfiltration (TA0010:T1567). The Runbook describes investigating by listing all assets downloaded by the actor in a two-hour window around the alert, checking involve_non_team_member and the origin IP location to assess external access, and reviewing related activity by the same user in the prior 24 hours (external sharing, ownership transfers, or logins from new devices/locations). Tests illustrate a normal team-member download (not triggering under the threshold), a download involving a non-member (potential exfiltration) and a non-download event (no alert).