This detection rule identifies when an AWS DynamoDB table is exported to Amazon S3, which can indicate potential data exfiltration attempts by adversaries using the ExportTableToPointInTime operation. The rule leverages CloudTrail logs to monitor user actions, specifically looking at instances of the ExportTableToPointInTime API call. It only flags an event when it is observed for the first time within the last 14 days for a specific user, defined by the aws.cloudtrail.user_identity.arn field. False positives can occur if the user is performing legitimate tasks such as data analysis or backups, necessitating a thorough investigation into user permissions and historical behavior before taking action against the flagged activity. Succinct investigative steps include identifying the requesting user and IP address, analyzing request parameters, checking access keys, and reviewing IAM policies.