Splunk Search

fileSizeGB AND fileCount thresholds

DDowns
New Member

Wondering if there are any industry best practices and/or recommendation for  setting fileSizeGB AND fileCount thresholds when searching\detecting  data exfiltration over USB device with the help of Proofpoint ITM events in Splunk.

I know we all have diff levels of risk  as we try to limit the number of false positives to our SOC team.   We started out with eval fileSizeGB=(Total/1000000) | where fileSizeGB > 100 AND fileCount > 100.  These thresholds are yielding few detections\alerts so we know we need to lower.  You can prob guess any insider threat team would want fileSizeGB > 10 AND fileCount > 1.     🙂    Just trying to find happy medium for all so any best practices or suggestions appreciated.

Labels (2)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

1. Other than the fact that you're holding the events in Splunk the question as such is completely unrelated to Splunk. It's a question about ObserveIT.

2. There is no general one-size-fits-all answer. Different organizations have different sensitivity to those things

0 Karma
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...