BigQuery table or query results exfiltrated to a foreign project

Cortex XSIAM Analytics Alert Reference by Alert name

Product

Cortex XSIAM

Last date published

2026-01-04

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: Gcp Audit Log
Detection Modules	Cloud
Detector Tags	Data Detection & Response
ATT&CK Tactic	Exfiltration (TA0010)
ATT&CK Technique	Transfer Data to Cloud Account (T1537)
Severity	Informational

A cloud identity exfiltrated BigQuery table data to a foreign storage service.

Exfiltrate sensitive data that resides inside BigQuery table.

Check if {cloud_best_identity_match} intended to transfer data from BigQuery table.
Verify if the affected table did not contain any sensitive information.

ATT&CK Tactic	Exfiltration (TA0010)
ATT&CK Technique	Transfer Data to Cloud Account (T1537)
Severity	Informational

A cloud identity exfiltrated BigQuery table data to a foreign storage service.

Exfiltrate sensitive data that resides inside BigQuery table.

Check if {cloud_best_identity_match} intended to transfer data from BigQuery table.
Verify if the affected table did not contain any sensitive information.

ATT&CK Tactic	Exfiltration (TA0010)
ATT&CK Technique	Transfer Data to Cloud Account (T1537)
Severity	Low

A cloud identity exfiltrated BigQuery table data to a foreign storage service.

Exfiltrate sensitive data that resides inside BigQuery table.

Check if {cloud_best_identity_match} intended to transfer data from BigQuery table.
Verify if the affected table did not contain any sensitive information.