This Elastic rule detects the first instance within the prior window where a principal directly invokes an AWS Lambda function in an account, excluding invocations that are performed by AWS services as part of normal event-driven triggers. Direct, ad hoc Lambda invocations by identities that do not normally call Lambda can indicate credential abuse, lateral movement, or misused permissions. The rule relies on AWS Lambda data events captured in CloudTrail (aws.cloudtrail) and requires CloudTrail data event logging for Lambda to be enabled, as such events are not logged by default. The detection filters for Lambda invocations (event.provider: lambda.amazonaws.com, event.action: Invoke*), with a successful outcome, and uses a “new terms” approach to surface the first occurrence within the history window. It surfaces identifying fields like cloud.account.id and user.name, enabling investigators to quickly pinpoint who invoked the function and on which account, while correlating with functionName in aws.cloudtrail.request_parameters to map to the application owner and sensitivity. The rule is categorized as a threat detection for threat actors who might abuse a compromised credential or an over-permissioned execution role to perform serverless execution or data access. The rule’s investigation guidance covers validating the actor, function, and source, verifying whether the invocation was expected (testing, deployment, CI/CD), and correlating with related activity such as credential issuance or role assumption. False positives include legitimate testing, new automation roles, or operators who directly invoke functions for maintenance; these should be excluded after validation. Remediation steps include rotating or restricting credentials for the principal, and tightening lambda:InvokeFunction permissions to only authorized identities and services. The rule maps to MITRE ATT&CK T1648 (Serverless Execution) under Execution, and it emphasizes enabling Lambda data events in CloudTrail and ingesting them via the aws.cloudtrail data stream. It also documents setup prerequisites and references for Lambda data event logging and API invocation behavior.