This rule, authored by Elastic, focuses on detecting when the `PutBucketReplication` operation in AWS S3 is executed to replicate objects to a bucket that resides in a different AWS account. The rule is predicated on the concept that while cross-account bucket replication can be a legitimate operation within some AWS environments, it could also be exploited by malicious actors seeking to exfiltrate sensitive data to an environment under their control, thus posing significant security risks. The detection logic uses Event Query Language (EQL) to identify successful `PutBucketReplication` actions within CloudTrail logs where the request contains an `Account` parameter indicating replication to an external AWS account. The severity of this rule is set at medium with a risk score of 47. Potential false positives are acknowledged, including legitimate replication activities, and the rule provides comprehensive investigation steps such as user identity verification, event analysis, and correlation with recent permissions changes.