This rule detects when an AWS EC2 Elastic Block Store (EBS) snapshot is shared with another AWS account or made public. EBS snapshots can be particularly sensitive because they often contain data that can be copied and exported. Adversaries might leverage snapshot sharing as a method to obtain sensitive data by copying snapshots into their own AWS environment. The rule is implemented using the Elastic Search Query Language (ESQL) and targets logs from AWS CloudTrail, specifically looking for events where the action 'ModifySnapshotAttribute' has been executed successfully to add permissions for sharing. The investigation process involves examining various fields in the CloudTrail logs to assess the legitimacy of the sharing actions, user identities, source IP addresses, timestamps, and relevant historical activities. False positives are acknowledged due to legitimate administrative actions typical in AWS environments, necessitating careful validation. Remediation steps are recommended for unauthorized sharing, alongside incident response measures to prevent potential data exfiltration incidents.