The rule monitors the execution of the AWS Systems Manager (SSM) `SendCommand` API using specific parameters (`AWS-RunShellScript` or `AWS-RunPowerShellScript`) on EC2 instances, indicating potential malicious activity. As adversaries can leverage SSM for executing commands without requiring SSH or RDP access, the rule aims to detect such unauthorized use. It utilizes a new terms detection approach, triggering alerts only when this action is observed for the first time on a host within a week. By analyzing process execution metadata collected from various sources such as Elastic Defend, the detection mechanism captures instances where the command is issued along with its parameters, enabling timely threat assessment and remediation efforts. Careful documentation and monitoring are advised to distinguish between legitimate administrative use and potential attacks against cloud resources.