This rule detects the first observed instance of an IAM principal invoking a narrow set of discovery-oriented AWS APIs from an IP address geolocated to a curated VPN/hosting ASN. Implemented as an Elastic New Terms rule, it requires a match on two fields: source.as.number (first-time appearance) and aws.cloudtrail.user_identity.arn (the principal). The alert fires when the principal issues discovery-like actions (e.g., GetCallerIdentity, ListUsers, ListRoles, ListBuckets, DescribeInstances, DescribeRegions, DescribeTrails, LookupEvents, etc.) from an ASN commonly associated with consumer VPNs, VPN-heavy hosting, or TeamPCP-linked infrastructure, within a 10-day history window. The rule purposefully excludes broad List*/Describe* patterns beyond the explicit allowlist to reduce noise but allows operators to clone and extend the action set as baseline tolerance requires. Curated VPN-oriented ASNs are enumerated (and require local verification) and include operators such as Mullvad, NordVPN, ProtonVPN, Surfshark, ExpressVPN, and hosting providers like Datacamp, M247, Vultr, Linode, 31173 Services AB, and Oy Crea Nova Hosting Solution Ltd. The rule notes that hosting ASNs are dual-use, and encourages validation against local enrichment data. False positives are anticipated from legitimate VPNs or hosting egress, and the rule recommends excluding approved principals or ASN ranges after review. Operators should be aware that enrichment gaps (source.as.number unset) may result in skipped events. The rule provides triage guidance (verify user_identity fields, review provider/action, correlate source IP and ASN with asset inventory, and search for privilege or data-access activity within a short window). This rule is intended for threat detection and investigation of discovery activity tied to identity and cloud infrastructure usage, with explicit MITRE mappings to Cloud Service Discovery (T1526) and Cloud Infrastructure Discovery (T1580). It is designed to minimize noise while enabling rapid follow-up on suspicious first-time discovery activity from VPN/hosting networks.