This detection rule is designed to monitor and alert on the retrieval of Single Sign-On (SSO) access tokens from AWS services, specifically from the SSO service. The rule targets logs generated by AWS CloudTrail when the action of creating a token occurs. It is triggered by a specific event, `CreateToken`, which describes scenarios where a user or application requests an SSO access token using certain parameters. The rule focuses on the source of requests, attributes in the request, and ensures that the expected parameters and responses align with typical access token retrieval operations. Although it logs the creation of tokens, it does not create alerts since its severity is set to 'Info'. This makes it suitable for tracking potential misuse or unauthorized access to SSO tokens without raising immediate alarms, allowing analysts to watch for patterns over time through a deduplication period of 60 minutes.