The Thinkst Canarytoken Incident rule is designed to detect unauthorized access or suspicious activity related to AWS API Keys through the triggering of Canarytokens. These tokens act as decoys, alerting administrators when they are misused, indicating a potential compromise. The rule captures events specifically related to Canarytoken alerts, focusing on incidents where the Canarytoken has been triggered by external agents, such as specific IP addresses that have been previously associated with misuse. When a Canarytoken from an AWS API key is triggered, detailed information—including the source IP address, timestamp, and event context—is logged for further analysis. The rule operates in real-time with a high severity level and consolidates alerts to avoid duplication, reducing noise for response teams. Proper investigation is essential post-alert, especially in cases where the alert indicates a potential scanning activity, like from tools such as 'TruffleHog', which is noted in the alert annotations.