https://community.splunk.com/t5/Splunk-Search/fileSizeGB-AND-fileCount-thresholds/m-p/697755#M237003 <P>Wondering if there are any industry best practices and/or recommendation for&nbsp;&nbsp;setting fileSizeGB AND fileCount thresholds when searching\detecting&nbsp; data exfiltration over USB device with the help of Proofpoint ITM events in Splunk.</P><P>I know we all have diff levels of risk&nbsp; as we try to limit the number of false positives to our SOC team.&nbsp; &nbsp;We started out with&nbsp;eval fileSizeGB=(Total/1000000) | where fileSizeGB &gt; 100 AND fileCount &gt; 100.&nbsp; These thresholds are yielding few detections\alerts so we know we need to lower.&nbsp; You can prob guess any insider threat team would want fileSizeGB &gt; 10 AND fileCount &gt; 1.&nbsp; &nbsp; &nbsp;<span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span>&nbsp; &nbsp; Just trying to find happy medium for all&nbsp;so any best practices or suggestions appreciated.</P> Thu, 29 Aug 2024 19:29:56 GMT DDowns 2024-08-29T19:29:56Z https://community.splunk.com/t5/Splunk-Search/fileSizeGB-AND-fileCount-thresholds/m-p/697755#M237003 <P>Wondering if there are any industry best practices and/or recommendation for&nbsp;&nbsp;setting fileSizeGB AND fileCount thresholds when searching\detecting&nbsp; data exfiltration over USB device with the help of Proofpoint ITM events in Splunk.</P><P>I know we all have diff levels of risk&nbsp; as we try to limit the number of false positives to our SOC team.&nbsp; &nbsp;We started out with&nbsp;eval fileSizeGB=(Total/1000000) | where fileSizeGB &gt; 100 AND fileCount &gt; 100.&nbsp; These thresholds are yielding few detections\alerts so we know we need to lower.&nbsp; You can prob guess any insider threat team would want fileSizeGB &gt; 10 AND fileCount &gt; 1.&nbsp; &nbsp; &nbsp;<span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span>&nbsp; &nbsp; Just trying to find happy medium for all&nbsp;so any best practices or suggestions appreciated.</P> Thu, 29 Aug 2024 19:29:56 GMT https://community.splunk.com/t5/Splunk-Search/fileSizeGB-AND-fileCount-thresholds/m-p/697755#M237003 DDowns 2024-08-29T19:29:56Z https://community.splunk.com/t5/Splunk-Search/fileSizeGB-AND-fileCount-thresholds/m-p/697758#M237005 <P>1. Other than the fact that you're holding the events in Splunk the question as such is completely unrelated to Splunk. It's a question about ObserveIT.</P><P>2. There is no general one-size-fits-all answer. Different organizations have different sensitivity to those things</P> Thu, 29 Aug 2024 19:54:39 GMT https://community.splunk.com/t5/Splunk-Search/fileSizeGB-AND-fileCount-thresholds/m-p/697758#M237005 PickleRick 2024-08-29T19:54:39Z