This detection rule identifies attempts by adversaries to discover network connections within an AWS environment. Attackers may leverage cloud services to enumerate network connections to and from compromised systems or remote resources. By querying AWS CloudTrail logs, this rule captures events indicative of listing and describing connections, specifically through the use of AWS APIs such as ListConnections and DescribeConnections. It processes relevant event data, including timestamps, associated users, and IP addresses, aggregating information for easier analysis. Outputs include user-related metrics and source geolocation insights, aiding in identifying unauthorized or suspicious activities tied to network discovery. The detection is vital in thwarting tactics utilized by threat actors aiming to map cloud infrastructures, thereby enhancing overall security posture against potential exploitation. This rule applies to AWS environments where CloudTrail is enabled, ensuring a comprehensive grasp of network activity and user interactions.