This detection rule identifies potentially abusive usage of the AWS Security Token Service (STS) AssumeRole action by analyzing AWS CloudTrail logs. The rule focuses on logs related to role assumptions, specifically looking for the source IP address, user Amazon Resource Name (ARN), and the role names being accessed. Such activity is crucial because malicious actors could use assumed roles to navigate laterally within an AWS account, escalate privileges, and gain unauthorized access to sensitive resources. If successful, this could result in significant security incidents, including data breaches or service disruptions. The detection rule utilizes a specific search query that filters the relevant AWS CloudTrail logs to generate a table of data for further analysis, enabling security teams to pinpoint suspicious role assumptions in the AWS environment.