This detection rule identifies potential data exfiltration events utilizing the AWS Command Line Interface (CLI) on Unix-like systems such as Linux and macOS. The rule specifically monitors the execution of the `s3 cp` command alongside flags like `--recursive`, `--region`, and `--endpoint-url`, which may signify unauthorized bulk data transfers to external S3-compatible storage services. By analyzing the command's parameter usage, this rule aims to detect anomalous data transfers that could indicate malicious intent, such as staging information for exfiltration or transferring sensitive data without authorization. The logic for the detection is implemented in Splunk, observing the command usage patterns and correlating them to user activities, processes, and system logs. This enhances visibility into suspicious behaviors related to data movement and aids in the investigation of potential breaches that exploit AWS CLI functionality.