The rule identifies the creation of an AWS Systems Manager (SSM) command document by users who do not typically perform this action. Such creation could indicate malicious activity, as adversaries may leverage SSM command documents to execute commands on managed instances, potentially leading to unauthorized access, command and control exploitation, or data exfiltration. The rule queries AWS CloudTrail logs for events where SSM command documents are created successfully, filtering for instances where the user creating the document is atypical. Key investigation steps include reviewing the user identity, analyzing the content and purpose of the created document, and correlating related AWS events to identify suspicious patterns. False positives may arise from legitimate users creating documents for authorized tasks; thus, thorough context analysis is essential to differentiate between legitimate and potentially harmful actions. Immediate response actions include document review and deletion if unauthorized, enhanced monitoring for such events, and updating permission policies to restrict document creation to trusted user roles.