vm exports may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. vm exports from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

source: <a href=https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml>elastic
technicques: T1005 T1537

Techniques

Identifies an attempt to export an AWS EC2 instance. A virtual machine (VM) export may indicate an attempt to extract or exfiltrate information.

event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:CreateInstanceExportTask and event.outcome:failure