The rule 'AWS DynamoDB Scan by Unusual User' is designed to detect anomalous access patterns to AWS DynamoDB tables, specifically when a user who generally does not scan these tables performs a Scan operation. This behavior could indicate potential data exfiltration attempts by adversaries leveraging the Scan functionality for unauthorized data access. The rule analyzes CloudTrail logs for successful Scan actions by users, flagging them only if this specific activity has not been observed by the same user in the previous 14 days, thereby reducing false positives. The rule is configured to look for specific actions and sources in the CloudTrail logs, using KQL syntax for querying. It specifies required investigation steps such as identifying the user, review of request parameters, and auditing the source IP to determine legitimacy. It also details potential reaction protocols including revoking access and conducting account security reviews.