The rule detects web requests to previously decommissioned Amazon S3 buckets by analyzing web proxy logs. Decommissioned S3 buckets may still be referenced by legitimate applications or users, making them potential targets for attackers to exploit. The detection ensures that any access attempts to these domains are noted, as attackers could attempt to use decommissioned buckets to host malicious content or exfiltrate sensitive data. The rule operates by querying structured data from the Web data model to identify instances where the URL domain matches entries in a lookup table of decommissioned buckets. The implementation requires ingestion of web proxy logs and dissemination of decommissioned bucket data into a Key-Value Store complementing the baseline search.