This detection rule is focused on identifying file downloads flagged as malware that occur over non-standard ports, differing from conventional ports 80 (HTTP) and 443 (HTTPS). Adversaries often utilize such non-standard ports to evade detection systems reliant on typical traffic patterns. The rule utilizes file event logs from the Cisco Secure Firewall Threat Defense system, analyzing logs for file download events while excluding standard ports. The analytic identifies anomalous traffic, summarizes the characteristics of the files involved, and highlights potential malicious activities—signifying a risk of malware delivery or other nefarious actions if the files are indeed harmful. The search is designed to run within a Splunk environment and incorporates various macros to streamline configuration and effectiveness. The guidelines for implementation emphasize the integration of Cisco logs into Splunk and suggest customizing filters to counter known legitimate traffic that may trigger false alarms.