The detection rule identifies the use of the 'csplit' and 'split' commands, which are commonly utilized to chunk web server data into smaller files potentially meant for exfiltration. This rule is particularly relevant in scenarios where attackers minimize file sizes before transferring them, making it less conspicuous. Based on Atomic Test T1030 #1, this rule employs a comprehensive Splunk query that captures endpoint activities related to these commands. The logic combines direct invocations of 'split' or 'csplit' with additional commands like 'cp', 'mv', 'gcp', and 'rsync' that may indicate data staging behavior, especially when the operation involves web-related file types. The collected data is summarized in 5-minute intervals, facilitating easy monitoring of suspicious processes tied to data handling. This rule is designed to trigger alerts for behaviors aligning with techniques for staging data for exfiltration, particularly focusing on local data management and manipulation techniques to evade detection.