The detection rule titled 'AWS StartSession' is designed to monitor and flag the initiation of Session Manager sessions within AWS environments. The StartSession API call allows users to create a WebSocket connection to managed nodes without needing SSH configurations, effectively bypassing conventional security measures like inbound SSH rules. This rule leverages AWS CloudTrail logs to capture relevant events associated with StartSession calls. The logic is implemented in Splunk, utilizing a custom command to extract essential fields such as the time of the event, host details, user information, account and region specifics in addition to the source IP and user agent data. Further processing includes aggregating data by time and source IP, looking up the corresponding DNS hostname and geographic location for the source IP, enhancing visibility into the access pattern. The rule also relates to lateral movement techniques (T1021) tracking unauthorized access or potential misuse of AWS resources.