This rule detects rare and potentially malicious access to AWS Systems Manager (SSM) inventory APIs by users or roles that are not typically associated with such actions. Specifically, it identifies the first time a user queries SSM inventory-related APIs or executes the AWS-GatherSoftwareInventory command. These actions can reveal critical information about EC2 instances, including their software landscape and patch compliance, which threat actors may exploit for reconnaissance efforts. The rule is categorized as a New Terms rule and triggers on the initial instance of access by a user to these APIs, which is noteworthy because it deviates from standard operational behavior in AWS environments where such APIs are usually accessed by automated systems. The response to alerts generated by this rule involves verifying user identity, analyzing the source and context of commands, and investigating for signs of unauthorized access or credential compromise.