Detects AWS STS GetCallerIdentity calls that are made using TruffleHog, a credential scanning tool. When TruffleHog discovers leaked AWS access keys, it may verify their validity by issuing a GetCallerIdentity request. The rule monitors AWS CloudTrail events for GetCallerIdentity calls where the userAgent string indicates TruffleHog (e.g., "TruffleHog" or its variants). A GetCallerIdentity event accompanied by a TruffleHog user agent implies external validation of compromised credentials, aligning with account discovery (ATT&CK TA0007.T1087.004). The rule deduplicates findings by grouping on the same userIdentity.accessKeyId within a 60-minute window (DedupPeriodMinutes) and triggers when at least one suspicious event is observed (Threshold: 1). It is intended to surface credential exposure and potential post-exploitation activity tied to leaked keys. The provided tests demonstrate detection of TruffleHog user agents and discrimination from normal AWS usage, as well as variants where the event name differs (e.g., AssumeRole) which do not match this rule.