This analytic rule detects abnormally high numbers of API calls to cloud infrastructure, specifically focusing on user activity within AWS environments. By analyzing logs from AWS CloudTrail, the rule establishes a baseline through a probability density function comparison, allowing it to identify significant spikes in API call volumes. Such spikes may signify anomalous behavior, potentially indicating misuse or a security breach that could lead to unauthorized access, data exfiltration, or service disruption. The rule leverages time-based evaluations, normalizing API calls across hours of day and days of the week to better capture unusual activity patterns. Users that exceed a calculated threshold are flagged, ensuring proactive security monitoring of cloud resources.