This detection rule identifies potential data exfiltration attempts on Linux systems that use the `split` syscall to fragment large files into smaller parts. By monitoring uses of the `split` syscall, it enables the detection of possible evasion tactics employed by attackers aiming to circumvent security controls based on data size limits. Upon triggering, the rule logs relevant syscalls indicating suspicious behavior linked to data transfers. This detection is particularly crucial for cybersecurity teams looking to safeguard sensitive information against covert exfiltration strategies. Implementation involves ingesting Linux audit logs through the Splunk platform, normalizing the data for better consistency, and updating filters to reduce false positives related to legitimate administrative tasks. Proper usage of this detection increases visibility into unusual system activity surrounding file manipulation commands, thereby securing endpoints against unauthorized data transfers.