The detection generates false positives because it uses total transferred bytes (InitiatorBytes + ResponderBytes) and does not distinguish between uploads and downloads, causing large legitimate downloads to be flagged as exfiltration. As a result, normal activities like software updates or file downloads can trigger alerts, reducing detection accuracy and increasing noise. This should be improved by focusing on outbound traffic (InitiatorBytes)
The detection generates false positives because it uses total transferred bytes (InitiatorBytes + ResponderBytes) and does not distinguish between uploads and downloads, causing large legitimate downloads to be flagged as exfiltration. As a result, normal activities like software updates or file downloads can trigger alerts, reducing detection accuracy and increasing noise. This should be improved by focusing on outbound traffic (InitiatorBytes)