This detection rule focuses on the use of the 'split' command in Linux environments, which is utilized for dividing files into smaller parts. The primary goal of this command can sometimes signal an attempt to facilitate data exfiltration. When executed, the rule employs the 'auditd' service to specifically monitor system calls related to the 'split' command execution. The analysis identifies potential misuse of this command which could indicate unauthorized or malicious behavior, particularly in scenarios where it precedes data transfer operations. Given that the 'split' command is a legitimate utility, the rule incorporates conditions to manage false positives, allowing for the differentiation between normal administrative tasks and potentially harmful activities.