This detection rule identifies the suspicious use of the GetSessionToken API call in AWS Security Token Service (STS). Attackers can exploit this API to create temporary credentials which can be used for lateral movement and privilege escalation within an AWS environment. The rule captures successful GetSessionToken requests initiated by IAM users, flagging instances where this behavior appears anomalous and warranting further investigation. It recommends a structured approach for triage and analysis, including investigating the CloudTrail logs for details about the IAM user and source of the request, reviewing the user's activity for unusual patterns, and correlating the event with other security alerts. It also outlines response and remediation actions, emphasizing the need to revoke suspicious credentials, conduct a thorough audit of the user's actions, and reinforce IAM policies to minimize future risks. Additionally, the rule addresses the possibility of false positives resulting from regular administrative activities or automated processes, and it suggests implementing exceptions for verified legitimate usage.