We are trying to enhance the incident management process for our SOC team. We would like SOC to react to data exfiltration incidents but simply dumping DLP logs to QRadar isn't the way they wants. They would like to see a set of correlation rules where DLP is used in conjunction with other events. The goal is to have SIEM rules that will alert on incidents related to data exfiltration that with high probability is not a false positive.
Could you please help me with possible use cases. Maybe you did this already in your organization.