AN0680: Analytic 0680
Unusual or excessive database/table exports from SaaS database platforms (e.g., Snowflake, Firebase, BigQuery, Airtable) by users or apps not in known analytics or dev groups. Defender observes access patterns outside baseline working hours or with new query templates, and correlates those with audit logs or file downloads.
Analyst context for executives and security teams
This analytic is about spotting unusual or excessive exports from SaaS database platforms such as Snowflake, Firebase, BigQuery, and Airtable. For leaders, the practical issue is not just “large download activity”; it is whether the organization can prove who or what exported business data, whether that activity was expected, and whether it happened outside normal user, application, or working-hour patterns.
Executive priority
Prioritize this as a data governance, cloud/SaaS security, and incident readiness question. Executives should ask whether sensitive SaaS data stores have accountable owners, approved analytics/dev user groups, export baselines, and audit evidence that can support an investigation or compliance inquiry. The business risk is delayed recognition of abnormal data movement from SaaS platforms, especially where legitimate users or apps have broad export permissions.
Technical view
SOC and detection teams should validate monitoring for SaaS database/table export behavior by user, app, role/group, time of day, query pattern, and associated file download activity. Because the ATT&CK object provides no tactic mapping, no relationship context, and no formal detection logic, teams should treat this as a detection design requirement: baseline approved analytics and development activity, then alert on exports by users or apps outside those groups, excessive volume/frequency, new query templates, or activity outside normal working hours.
Likely telemetry
- SaaS platform audit logs for database, table, query, and export events
- User and application identity context, including group or role membership
- Query history or query template metadata where available
- File download or data export records from the SaaS platform
- Timestamps sufficient to compare activity against baseline working hours
Detection direction
- Confirm that audit logging is enabled and retained for the relevant SaaS database platforms named in scope: Snowflake, Firebase, BigQuery, Airtable, or comparable SaaS data stores.
- Build baselines for known analytics and development groups before treating export activity as suspicious.
- Correlate export events with identity context, query patterns, working-hour deviations, and file downloads rather than relying on volume alone.
- Tune for expected reporting, backup, migration, and development workflows to reduce false positives.
- Review blind spots where service accounts, third-party apps, or shared credentials make it difficult to identify the true actor.
Mitigation priorities
- Define and document approved users, apps, and groups allowed to perform database or table exports.
- Apply least-privilege access to SaaS data stores, especially export and bulk-download permissions.
- Ensure SaaS audit logs, query history, and download events are enabled, centralized, and retained for investigations.
- Review service account and application access paths that may bypass normal user monitoring.
- Use incident response playbooks that include SaaS data export triage, identity review, and evidence preservation.
Analyst notes and limits
This object is a detection analytic for SaaS platforms and focuses on unusual or excessive database/table exports. The most useful local validation is whether the organization can distinguish approved analytics/dev activity from abnormal user or app behavior using reliable SaaS audit and download telemetry.
The supplied ATT&CK fields do not include tactics, relationships, or official detection logic. No claim can be made about active exploitation, attribution, impact, or guaranteed coverage. Local platform configuration, logging depth, identity architecture, and data classification are required to determine actual risk and detection quality.
Analytic 0680
Unusual or excessive database/table exports from SaaS database platforms (e.g., Snowflake, Firebase, BigQuery, Airtable) by users or apps not in known analytics or dev groups. Defender observes access patterns outside baseline working hours or with new query templates, and correlates those with audit logs or file downloads.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | c3bb3c2df4b4… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0680Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.