Technical summary: This rule surfaces an AWS identity whose CloudTrail traffic is dominated by a small set of large cloud-provider ASN organizations, but with intermittent activity from an uncommon ASN path that includes at least one sensitive action. The intent is to detect automation or CI credentials reused or pivoted outside the principal’s usual cloud footprint, i.e., a disproportionate baseline egress with sparse usage from rarer networks. The detection aggregates roughly seven days of successful CloudTrail events per user.name and aws.cloudtrail.user_identity.type. It derives is_trusted_cloud when source ASN organization names match major providers (Amazon*, Google LLC, Microsoft Corporation, MongoDB, Inc.), and flags suspicious actions when events originate from an untrusted ASN with a defined sensitive action list (e.g., GetCallerIdentity, GetSecretValue, ListSecrets, DescribeSecret, GetParameter(s), AssumeRole, PutUserPolicy, CreateAccessKey, CreateUser, GetObject, ListBuckets/Objects, InvokeModel, etc.). Key metrics include total event count, number of distinct ASNs, untrusted vs trusted event counts, and the most recent untrusted activity. The rule enforces thresholds: a minimum of 100 trusted-cloud events, at least one untrusted event, an untrusted event ratio <= 0.01, at least two unique untrusted-suspicious actions, at most five distinct untrusted ASNs, and a most-recent untrusted event within the last hour. When matched, it surfaces context (user, identity type, ASN values, actions) for triage. Recommended response includes credential rotation, enforcement of short-lived keys or OIDC, and tightening IAM/data-plane permissions. Investigation guidance covers correlating IAM activity, validating automation vs human activity, and reviewing permissions. False positives may arise from VPNs, proxy paths, regional carrier changes, or corporate travel; guidance includes threshold tuning, allowlists, and narrowing sensitive-actions after baseline review.