Detects an AWS IAM user calling STS GetSessionToken to obtain temporary credentials. While legitimate usage exists (e.g., automation, CLI access), attackers with compromised long-term IAM credentials may use GetSessionToken to generate short-lived session tokens for lateral movement or to bypass IP-based policies that apply only to long-term credentials. The rule focuses on IAMUser-initiated GetSessionToken API calls from AWS CloudTrail and differentiates from calls made by assumed roles or unrelated STS events. It supports deduplication and context checks to reduce noise, and relies on correlating IP origin and nearby activity to assess legitimacy.