A Cloud DB instance was exported to an unknown destination

Cortex XDR Analytics Alert Reference by data source
Product
Cortex XDR
Last date published
2026-06-15
Category
Analytics Alert Reference
Index by
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • Gcp Audit Log

Detection Modules

Cloud

Detector Tags

Data Detection & Response, Cloud Data Asset Exfiltration

ATT&CK Tactic

Exfiltration (TA0010)

ATT&CK Technique

Transfer Data to Cloud Account (T1537)

Severity

Informational

Description

A Cloud DB instance was exported to a foreign storage destination.
The destination storage has not been seen in the organization in the last 30 days.

Attacker's Goals

Exfiltrate sensitive database content to an external or attacker-controlled bucket.

Investigative actions

  • Verify if the destination bucket is authorized for data export.
  • Investigate the identity performing the action for unusual behavior or lack of authorization.
  • Assess the sensitivity of the data within the source Cloud DB instance to determine impact.