Correlates open AWS IAM long-term access key detections by key ID (prefix AKIA). The rule links multiple open alerts that share the same access_key_id when there is an initial 'Long-Term Access Key First Seen from Source IP' alert and at least one additional open alert for the same key with medium, high, or critical severity. This higher-order rule helps surface potential post-compromise activity by correlating credential-related detections across the same IAM key, enabling faster investigation and response. The rule uses Esql to group signals by aws.cloudtrail.user_identity.access_key_id and requires the co-occurrence of a first-seen-IP alert and at least one elevated alert for the same key to trigger. It returns per-source IP statistics, the count of the long-term key first-seen events, the count of elevated sibling alerts, and related rule identifiers and risk scores for investigation.