This rule is designed to detect potential misuse of the AWS Command Line Interface (CLI) through the `--endpoint-url` argument, which enables users to specify custom endpoint URLs for AWS services. Adversaries can exploit this feature to direct API requests towards unauthorized or malicious endpoints, thus bypassing traditional security measures and logging systems. The rule monitors process logs specifically for events on Linux systems, identifying any instances of the AWS CLI being executed with the `--endpoint-url` argument. A detected event may indicate an attempt to interact with compromised infrastructure, exfiltrate sensitive data, or conduct other malicious operations disguised as legitimate AWS activities. The rule takes into account process name and arguments to flag potential threats and includes robust investigation steps and response recommendations in the event of a detection.