This rule identifies when an Amazon Relational Database Service (RDS) Aurora database snapshot is exported, which could imply data exfiltration activities. The detection is based on AWS CloudTrail logs, specifically monitoring for the action 'StartExportTask' related to RDS operations. The rule operates over a time window of the last 60 minutes, checking the relevant logs every 10 minutes. It assigns a low-risk score of 21 to events matched by this rule. There's an emphasis on verifying user identities involved in the snapshot export process to mitigate potential false positives, as legitimate exports may occur by system or network administrators. The rule includes guidance on how to handle such false positives by investigating unknown identities or user agents. Compatible data sources include logs from AWS configurations and the Filebeat module. The rule is part of continuous monitoring efforts and serves as an indication of asset visibility in cloud environments.