The O365 Exfiltration via File Sync Download detection rule identifies anomalous behavior whereby a user synchronizes an excessive number of files from Office 365 within a limited time period. This behavior is indicative of potential malicious activity, either from an external actor leveraging the user-agent string to evade detection or an insider threat attempting to remove sensitive data. The analytic targets any Office 365 operations labeled as 'filesyncdownload*' and utilizes the Office 365 Universal Audit Log as its primary data source. Importantly, this rule flags activity associated with Azure Guest accounts (denoted by '#EXT#'), highlighting the need for scrutiny in these scenarios. To implement this detection, users must have the Splunk Microsoft Office 365 Add-on configured to capture management activity events. The detection logic includes filtering based on user activity, focusing on counts of synced files exceeding established thresholds and evaluating user-agent information to ascertain the legitimacy of the access.