Detects a single principal directly invoking AWS Lambda functions at a high volume within a 60-minute window (threshold configurable per environment). The rule relies on AWS CloudTrail data events for Lambda invocation to surface volumetric abuse, such as resource hijacking, cryptomining, denial-of-wallet cost inflation, or enumeration of function behavior. Because Lambda data events are not enabled by default, data-event logging must be enabled for the relevant Trail. The threshold is environment-dependent; legitimate high-throughput workloads, batch jobs, and automation can trigger matches if not tuned. The rule flags matches by the principal ARN and reports the invocation count and source IPs for investigation. It should be treated as corroborating signal due to Lambda’s data-event limitations (only invocation metadata is captured).