This detection rule monitors and detects potential data exfiltration attempts that utilize web proxies. It triggers when a client sends large data transfers of at least 20MB, with the total data transferred exceeding 1GB to the same destination within a one-hour timeframe. The logic is implemented in Splunk and checks for specific conditions including non-GET HTTP methods and successful request status codes (200). Notable threat actor associations indicate that this rule is particularly relevant to advanced persistent threats (APTs) and known ransomware groups such as APT33, FIN7, and Clop among others. The detection leverages the web proxy logs and focuses on identifying anomalous behavior that may represent exfiltration activities, thereby helping to fortify defenses against sophisticated cyber threats.