Wondering if there are any industry best practices and/or recommendation for  setting fileSizeGB AND fileCount thresholds when searching\detecting  data exfiltration over USB device with the help of Proofpoint ITM events in Splunk. I know we all have diff levels of risk  as we try to limit the number of false positives to our SOC team.   We started out with eval fileSizeGB=(Total/1000000) | where fileSizeGB > 100 AND fileCount > 100.  These thresholds are yielding few detections\alerts so we know we need to lower.  You can prob guess any insider threat team would want fileSizeGB > 10 AND fileCount > 1.     🙂    Just trying to find happy medium for all so any best practices or suggestions appreciated. ... View more