This detection rule identifies potential data exfiltration attempts on Linux systems by monitoring for the usage of data splitting utilities, specifically `dd`, `split`, and `rsplit`, with suspicious command-line arguments. Data splitting is a technique employed by adversaries to divide sensitive information into smaller segments to evade detection during exfiltration processes. The rule captures events where these commands are invoked with specific parameters, such as `bs=*` and `if=*`, while excluding benign scenarios where these tools are commonly used for legitimate purposes. The rule operates on data sourced from Elastic Defend, Crowdstrike, and SentinelOne, and it is crucial for identifying unauthorized data transfers in environments where sensitive information must be tightly controlled. The associated investigation guide provides thorough details on analyzing the alerts, addressing potential false positives, and implementing effective remediation strategies to enhance data security against exfiltration tactics.