This rule uses New Terms to detect a rare, first-time occurrence of AWS account discovery activity by a principal within a short ingestion window. It monitors AWS CloudTrail logs (logs-aws.cloudtrail.*) for successful calls to AWS Organizations and IAM read APIs that enumerate org structure, accounts, and metadata (for example, DescribeOrganization, ListAccounts, ListRoots, ListOrganizationalUnitsForParent, ListAccountsForParent, ListPolicies, DescribeResourcePolicy; and ListAccountAliases, GetAccountSummary). The detection relies on a new combination of cloud.account.id and user.name within a history window (now-10d) and flags when this combination appears for the first time within a recent window (now-6m). The rule excludes console credential use (aws.cloudtrail.session_credential_from_console != true) and service principals (aws.cloudtrail.user_identity.type != AWSService) to reduce noise. The outcome is a low-severity alert highlighting the actor (user.name), AWS identity (aws.cloudtrail.user_identity.arn), the action, provider, and the impacted account, facilitating rapid triage for potential reconnaissance after credential compromise. This rule maps to MITRE ATT&CK Discovery techniques: T1087 (Account Discovery) with subtechnique T1087.004 (Cloud Account) and T1580 (Cloud Infrastructure Discovery). Investigation fields include timestamp, user, user_agent, source IP, identity ARNs, actions, outcomes, provider, and the target cloud.account.id and region. The New Terms mechanism ensures that only genuinely new discovery activity surfaces, minimizing alert fatigue for routine admin work, while enabling correlation with other events (STS GetCallerIdentity, AssumeRole, policy changes) and broader discovery or privilege escalation activity in the same session.