This detection rule identifies network traffic that indicates the potentially dangerous use of Windows Server Message Block (SMB) or Common Internet File System (CIFS) protocol to the Internet. SMB is widely used in internal networks for sharing files, printers, and resources but should not be exposed to the Internet because it is often targeted by attackers seeking unauthorized access or performing data exfiltration. This rule monitors for specific TCP connections on ports 139 and 445 originating from internal networks to unknown external IP addresses, while accounting for and excluding a range of known safe internal and local traffic IP addresses. The detection leverages several data sources including packetbeat, auditbeat, and logs from network traffic to ensure comprehensive visibility. A risk score of 73 reflects the potential severity of threats linked to such SMB traffic. The rule is designed to flag unusual SMB activity going outside expected parameters and supports incident investigation and response workflows to mitigate possible attacks relating to network compromise and data theft.