This detection rule is designed to identify attempts by adversaries to discover cloud accounts within an organization's AWS environment. The rule works by querying AWS CloudTrail logs for specific events that indicate an account listing action. It focuses on three key AWS events - `ListAccounts`, `ListAccountAliases`, and `ListAccountSettings` - which are commonly invoked by malicious actors seeking reconnaissance on organizational AWS accounts. The query is executed on a rolling two-hour time frame, allowing detection of potentially unauthorized actions shortly after they occur. By monitoring these events, organizations can gain insights into suspicious activities that could indicate attempts to enumerate and exploit cloud resources. Understanding who is accessing account information can help maintain the integrity and security of cloud configurations and limit adversarial capabilities. This rule is associated with the technique ID T1087.004, which is part of the wider account discovery tactics utilized by threat actors, particularly noted within the actions of GUI-vil, a known adversary group.