I want to create an alert to catch large amounts of data leaving the network

Hi Lou,

Did you got your answer about this query? I have the same issue. I need to monitor large data getting out of my systems, I need to know. 

As far as I know, SEM can't monitor network traffic data, it is designed to monitor events from devices. You can only monitor it, if your network device can send syslog message to SEM when the traffic data exceeds a threshold value.

Instead of SEM, I would recommend considering SolarWinds NPM (Network Performance Monitor) module to monitor network devices by SNMP and pull interface traffic statistics.

Connect your corporate firewall to SEM, ensuring you are sending your traffic logs to SEM.  Once being collected by SEM, take a look at the ExtraneousInfo field being generated in these logs.  There is a lot of info/data in that field, but the exact field/data to use in a query and/or rule will be based on how your firewall logs are sent to SEM and what firewall is used.