This detection rule is aimed at identifying potentially malicious activity Related to the enumeration of Amazon Web Services (AWS) storage resources, particularly within the S3 bucket service. The rule utilizes Splunk as the platform for querying AWS CloudTrail logs, which contain records of actions taken by users in the cloud environment. Key commands associated with storage enumeration, such as ListBuckets, GetBucketCors, and GetBucketPolicy, are monitored to ascertain patterns of high activity that might indicate reconnaissance efforts by threat actors, specifically those associated with the GUI-vil group. The logic defines a query that aggregates events from the source IP and filters those that have exceeded a threshold of three distinct event types in a 90-second window, signifying possible enumeration attempts.