Detecting only double \\Temp\\ logic is making this detection weak (only 24 events triggered), but with individual \\Temp\\ detection, it is getting much more results (300+ events triggered). I know individual \\Temp\\ detection can lead to false positives, but we can narrow it down based on a 90 days or 30 days baseline.