This detection rule aims to identify potentially malicious activities involving OAuth applications that download multiple files from Microsoft SharePoint or OneDrive in unusual patterns for a specific user. Such behaviors could indicate data exfiltration attempts or misuse of authorized applications. The rule leverages logs from Microsoft Cloud App Security, focusing on events flagged as suspicious due to their frequency or nature. It monitors events sourced from the Security Compliance Center and specifically targets successful file download activities initiated by OAuth apps. If an app is observed downloading an excessive number of files under circumstances deemed abnormal—based on the user's historical behavior—a security alert will trigger. This proactive approach assists in catching potential threats before they escalate into serious incidents.