Identifies an AWS Lambda function invocation that originates from a source network (ASN) not observed for the invoking principal within the prior 10 days, excluding common cloud provider networks. The rule relies on AWS CloudTrail data events for Lambda Invoke and uses source ASN metadata (source.as.organization.name) to flag invocations from unfamiliar external networks. Such direct invocations may indicate abuse of stolen execution-role or user credentials from attacker-controlled infrastructure attempting to run Lambda functions or access returned data. The rule triggers on successful Invoke events, requiring that CloudTrail data events for Lambda are enabled and enriched with ASN data. It uses a new_terms signal on the source ASN organization in combination with a 10-day history window to surface potentially anomalous activity. It is intended as a high-signal alert for credential compromise or misappropriated permissions in serverless contexts, and is not enabled by default due to CloudTrail data event logging requirements. Triage and analysis guidance is provided to verify the invoking principal (aws.cloudtrail.user_identity.arn), inspect the client network (source.ip, source.as.organization.name, source.geo), examine aws.cloudtrail.request_parameters for functionName and user_agent.original, and check whether the involved credentials (aws.cloudtrail.user_identity.access_key_id) have appeared in other activity. Correlate with other actions by the same principal (IAM/STs usage, data-plane access). False positives include legitimate new networks (offices, VPNs, home IPs). Remediation involves credential rotation/revocation, reviewing the function’s access scope, and applying least-privilege controls and possible IAM condition constraints to lambda:InvokeFunction. The rule maps to MITRE ATT&CK technique T1648 (Serverless Execution) under TA0002 (Execution).