Detects the change of database master password. It may be a part of data exfiltration.
Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration.
Detects when a Microsoft Cloud App Security reported suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address.
Detects process execution of RClone or similar tools used by ransomware operators to exfiltrate data.
Detects PowerShell scripts that have capabilities to read files, loop through them and resolve DNS host entries.
Detects PowerShell scripts leveraging the "Invoke-WebRequest" cmdlet to send data via either "PUT" or "POST" method.
Detects bulk downloading of User Data associated with AWS EC2 instances. Instance User Data may include installation scripts and hard-coded secrets for deployment.