This rule is designed to detect unusual spikes in AWS API activity by users within an AWS environment. The detection logic uses data from AWS CloudTrail logs, focusing on the number of API calls made by each user. By establishing a baseline of normal API activity through statistical analysis, the rule marks an activity as a spike if the number of API calls exceeds the calculated mean plus a number of standard deviations. It generates alerts when these anomalies occur, providing insights into potentially unauthorized or malicious actions. The implementation of this rule requires the AWS App for Splunk and appropriate configuration of AWS CloudTrail inputs. While detecting such spikes is important for maintaining security posture, this specific rule is deprecated as it has been migrated to a new Change Datamodel approach.