This detection rule identifies instances of a single AWS resource making multiple `GetServiceQuota` API calls for the EC2 service quota with code L-1216C47A across more than 10 regions within a 30-second timeframe. The associated quota represents on-demand instances which can be exploited by adversaries for deploying malware or cryptocurrency mining operations. Such activity may suggest a threat actor is probing for sensitive information related to AWS infrastructure using compromised credentials or virtual machines, making this detection critical for identifying potential security breaches within AWS environments. The rule utilizes ESQL to filter, aggregate, and analyze AWS CloudTrail logs to highlight anomalies indicative of unauthorized access or resource mismanagement, and it recommends several investigative steps to assess and respond to such incidents, including reviewing user activity, IAM policies, and potential compromises.