This detection rule, authored by Elastic, facilitates the identification of AWS CLI usage exhibiting a user agent string that includes `distrib#kali`. This pattern is indicative of the requests emanating from a Kali Linux system, which is often leveraged in offensive security contexts. The rule analyzes AWS CloudTrail logs to pinpoint potentially adversarial use of the AWS CLI, which could imply unauthorized access or malicious activity. It suggests a risk evaluation strategy by examining not just the user agent but also other attributes such as the user’s identity, their access patterns, and the source of requests. A notable feature of the rule is its dual focus on investigation and response recommendations, urging immediate action in the event of unauthorized use, including key revocation and IAM policy hardening. Additionally, the rule outlines potential false positives due to legitimate users conducting security assessments, highlighting the necessity of understanding the context of the activity.