This detection rule targets the usage of FTP (File Transfer Protocol) connections to the Internet, as FTP can serve as a vector for adversaries aiming to exfiltrate data from networks or introduce malicious tools. The FTP protocol has been widely utilized since the 1980s, primarily facilitating file transfer; however, due to its plain-text nature, it poses substantial security risks including the exposure of credentials during interception. This rule is crafted to identify network traffic that fits defined criteria, namely, TCP traffic on ports 20 or 21, or dataset events related to FTP from recognized internal IP address ranges. False positives may arise from legitimate business uses of FTP. Therefore, proper configuration regarding expected workflows is imperative to prevent alert fatigue. The rule is designed to assist in spotting potentially unauthorized FTP connections, especially from production servers without valid FTP use cases.