I currently have this on my LEM Rules and it seems the only way to do this is by the how many events happen within the set correlation time. Could there be a option to add files sizes as well.
Information theft is not only just about how many files, one file that is 800 MB (software, databases, etc.) is just as important as 1000 files at 100 KB each.
Thanks.
Steve Ketchum
