This detection rule identifies suspicious instances of the AWS STS (Security Token Service) `GetSessionToken` API call, which may indicate potential misuse by attackers to obtain temporary security credentials. These tokens can be leveraged to execute unauthorized actions, allowing lateral movement within the AWS environment and the possibility of privilege escalation. The rule targets IAM Users making calls to `GetSessionToken`, a method typically utilized by administrators for legitimate purposes. Thus, any unexpected or unauthorized usage, especially from unfamiliar sources, warrants investigation to prevent potential compromise. The detection involves monitoring CloudTrail logs specifically for anomalies in the access patterns related to the `GetSessionToken` API invocation.