This rule monitors AWS CloudTrail logs for unusual activity involving API calls made by a single AWS resource performing `DescribeInstances` in more than 10 regions within a 30-second window. Such behavior can indicate malicious reconnaissance efforts by threat actors, potentially using compromised credentials to enumerate the cloud infrastructure across multiple regions. The detection queries logs for `DescribeInstances` calls, analyzes the frequency and scope of these actions across regions, and identifies potentially anomalous patterns that deviate from standard operational practices. In case of detection, recommended investigative steps involve validating the identity and permissions of the resource making the calls, examining related API activities, and ensuring adherence to the principle of least privilege. Establishing a baseline of expected behavior for legitimate tasks is crucial to minimize false positives from legitimate administrative activities that may also utilize similar patterns.