This detection rule identifies instances where an AWS RDS (Relational Database Service) DB snapshot has been shared with another AWS account, which could represent a potential data exfiltration attack. DB snapshots are full backups of entire database instances, containing sensitive data that can be misused if shared without proper authorization. The rule utilizes Elastic Query Language (EQL) to search for CloudTrail logs signaling that the modification action has been performed on snapshot attributes involving sharing with external accounts. False positives should be taken into account, as sharing DB snapshots can be a common and legitimate procedure. Investigative steps are recommended to ensure the sharing event was authorized and to mitigate risks if a compromise is suspected. Response actions include reversing unauthorized changes and tightening monitoring and policies around snapshot sharing.