This detection rule is designed to identify the usage of the `split` command on macOS systems. The `split` command is often used to divide files into smaller segments. While this has legitimate administrative purposes, it can also be indicative of an exfiltration attempt if used inappropriately, especially when combined with other suspicious activities. The detection works by monitoring process creation events, specifically looking for command executions where the command image ends with `/split`. Due to the potential for false positives from legitimate administrative activities, the rule is set with a low severity level, as there are scenarios where administrators may need to split large files for legitimate reasons. This detection rule is a proactive measure within the broader context of file exfiltration detection strategies, particularly under the ATT&CK framework's T1030 tactic, which covers data transfer of files to external locations.