This rule detects the first occurrence of an AWS EC2 SSH key pair creation (CreateKeyPair) by a principal when the activity originates from a network associated with an ASN organization not attributed to major cloud providers. It leverages CloudTrail logs (aws.cloudtrail) and filters on the EC2 provider and successful CreateKeyPair actions, adding a geo/ASN-based exclusion via source.as.organization.name to identify unusual or potentially malicious activity. A new_terms mechanism surfaces only the first event by a given principal within a defined history window, suppressing repeat events from the same actor to reduce noise while still surfacing initial suspicious activity. Investigators are guided to correlate related AWS actions (RunInstances, ImportKeyPair, Instance Connect) and to review key material, keyName, and IAM permissions. The rule ties to MITRE ATT&CK techniques for Persistence (Account Manipulation, T1098), Credential Access (Unsecured Credentials, T1552.004), and Lateral Movement (SSH, T1021.004). It assigns a medium severity with a risk score of 47 and provides field details for investigation and remediation steps. This is intended to help detect adversaries staging SSH access material before instance access and should be tuned for legitimate admin scenarios by adjusting the excluded ASN organization names and principal ARN in validation.