This detection rule identifies potential database traffic from local network connections to the Internet for various database systems including MS SQL, Oracle, MySQL, and PostgreSQL. It is predicated on the excessive risk associated with directly exposing databases to the Internet, as these systems are common targets for attackers attempting to gain initial access to organizational resources. The rule uses a query that specifically looks for TCP traffic on commonly used database ports (1433 for MS SQL, 1521 for Oracle, 3306 for MySQL, and 5432 for PostgreSQL) coming from internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) towards any non-local destination IPs. It possesses a defined false-positive risk due to the nature of ephemeral ports and potential NAT scenarios that could incorrectly trigger alerts under certain configurations, particularly in cloud environments. The suggested severity level is medium, implying a moderate risk associated with identified traffic patterns.