Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

fileSizeGB AND fileCount thresholds

DDowns
New Member
‎08-29-2024 12:29 PM

Wondering if there are any industry best practices and/or recommendation for  setting fileSizeGB AND fileCount thresholds when searching\detecting  data exfiltration over USB device with the help of Proofpoint ITM events in Splunk.

I know we all have diff levels of risk  as we try to limit the number of false positives to our SOC team.   We started out with eval fileSizeGB=(Total/1000000) | where fileSizeGB > 100 AND fileCount > 100.  These thresholds are yielding few detections\alerts so we know we need to lower.  You can prob guess any insider threat team would want fileSizeGB > 10 AND fileCount > 1.     🙂    Just trying to find happy medium for all so any best practices or suggestions appreciated.

Labels (2)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-29-2024 12:54 PM

1. Other than the fact that you're holding the events in Splunk the question as such is completely unrelated to Splunk. It's a question about ObserveIT.

2. There is no general one-size-fits-all answer. Different organizations have different sensitivity to those things

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...