This analytic identifies suspicious activity related to AWS EC2 snapshots which may indicate data exfiltration attempts. It checks for several AWS API calls logged by AWS CloudTrail, specifically looking for the sequence of actions such as CreateSnapshot, DescribeSnapshotAttribute, ModifySnapshotAttribute, and DeleteSnapshot performed within a short time frame. The rule uses a time bin of 5 minutes and requires at least 2 distinct API calls to trigger an alert. If an attacker is manipulating snapshots, it may signify an attempt to share sensitive data unlawfully by modifying access permissions. The alert will include specifics about the user making the requests and the IP address involved in these actions, enabling further investigation and potential mitigation steps.