This analytic rule is designed to detect cloud API calls made by user roles that are not previously seen in a given timeframe. Utilizing Splunk's Change data model, it identifies successful commands executed by user roles classified as AssumedRole. The analysis highlights the importance of tracking new API command usage by unfamiliar user roles, as such behavior could indicate potential malicious activity, including unauthorized access or exploitation of cloud resources. The rule leverages historical data to compare current API calls against a baseline to detect anomalies. If any command is executed by a user role that has not been seen in the specified period, an alert is triggered, prompting further investigation into the legitimacy of the action. This helps in mitigating risks related to potential data breaches and fostering a more secure cloud environment. The effective implementation of this rule requires maintaining an up-to-date reference of previously seen commands for user roles within the cloud infrastructure.