This detection rule identifies the first occurrence of an AWS resource establishing a session via AWS Systems Manager (SSM) to an EC2 instance. The ability for adversaries to leverage AWS SSM for session initiation can pose a threat as it allows for remote command execution, which may be used for malicious activities such as privilege escalation or lateral movement. This rule checks for successful SSM session starts captured in AWS CloudTrail logs, specifically filtering for the SSM service actions to help operational teams detect unauthorized access attempts or configurations. It prescribes investigation steps including event detail verification, user identity validation, geographic context assessment, and correlation with other security events. Additionally, it instructs on potential response actions including session reviews, validation of security policies, and monitoring enhancements.