This detection rule is designed to identify unusual spikes in remote file transfers on host systems, which may indicate lateral movement activities by potential attackers. Lateral movement is a common tactic used by malicious actors to gain access to more sensitive data or systems after they have infiltrated a network. The rule utilizes a machine learning model to analyze transaction volumes over a defined time period (the previous 90 minutes), comparing the current behavior against established baselines. If the anomaly score surpasses a threshold of 70, an alert is triggered, allowing security teams to investigate and respond to potential incidents more effectively. The setup requires integration with both the Lateral Movement Detection and Elastic Defend systems, which must capture file and remote desktop protocol (RDP) process event logs. The rule's implementation aids in distinguishing legitimate business operations from potentially malicious activities that involve data exfiltration. Acknowledging the possibility of false positives—such as operational file transfers during large-scale business activities—so procedures for handling these alerts are incorporated into the investigative and remediation process for the rule. Continued monitoring and refinement of thresholds and baselines are suggested to minimize unnecessary alerts while ensuring potential threats are effectively addressed.