Detects creation or modification of storage credentials, connections, and external locations in Databricks Unity Catalog that could facilitate data exfiltration. The rule monitors specific audit actions emitted by Databricks (e.g., createStorageCredential, updateConnection) which establish direct paths to external storage or data movement workflows. Mount point creation is excluded by design, as it is covered by a separate rule. When such credential-related changes occur, the rule surfaces an informational alert to indicate potential data exfiltration activity and to prompt further investigation. The rule maps to MITRE ATT&CK technique TA0010:T1537 (Data from Information Repositories / Exfiltration to Cloud Storage) to contextualize the behavior. The included tests validate typical positive events (storage credential creation, connection updates) and ensure non-relevant actions (mounts, unrelated actions) do not alert.