For example a large amount of data sent to Romania or China would be suspicious.
Shouldn't this be a feature request for NTA? I will create a similar one.
I know there's a Top X countries feature in NTA so maybe it belongs there. The destination country would be part of the trigger. Ideally you could have other factors such as length of the conversation, total number of bytes plus country to trigger a heads-up. And there are probably other characteristics that should raise suspicion of a stream. For example IPsec stream to China.
I think this should be part of LEM since LEM is supposed to be a security appliance. Also, if LEM stands a chance to go up against it's competing products in it's space it's going to need to have a similar feature set and this is common amongst just about all of it's competitors.
