This detection rule identifies the use of the AWS Security Token Service (STS) API call GetCallerIdentity, specifically when the user agent indicates the use of TruffleHog, a tool often employed by threat actors to validate exposed AWS keys. The rule is designed to highlight instances where TruffleHog interacts with the AWS environment, with the objective of confirming the validity of potentially compromised AWS credentials. Successful exploitation can lead to unauthorized access within the AWS ecosystem, allowing threat actors to conduct further malicious activities. The detection works by monitoring AWS CloudTrail logs for specific eventSource and eventName parameters associated with STS calls, as well as filtering for requests that include the TruffleHog user agent. Organizations should be cautious of false positives stemming from legitimate use of TruffleHog within internal security operations. It is advised to authorize and filter known legitimate usages to minimize alerts from trusted entities.