This detection rule identifies instances where the AWS Security Token Service (STS) `AssumeRoot` action is executed by users who rarely perform this action, indicating potential unauthorized access attempts. The `AssumeRoot` function allows users to temporarily assume the root account role, which could be exploited by adversaries using compromised credentials to escalate privileges and access sensitive AWS resources. The rule utilizes CloudTrail logs to filter events where this action is successfully executed by atypical users. False positives may arise from legitimate administrative activities or automated workflows. The investigation recommendations are comprehensive, covering procedures to examine the actor behind the action, analyze the request's parameters, and review any unusual geolocation or user agents, thereby equipping analysts with clear steps to discern potential exploitation from standard operations.