This detection rule identifies the execution of TruffleHog within an AWS environment, notably through CloudTrail logs. TruffleHog is an open-source tool primarily designed for scanning source code repositories to uncover secrets and sensitive information hidden in previous commits. While it serves legitimate purpose for security teams, its capabilities have drawn the attention of threat actors, who can exploit the tool for credential harvesting, thus posing security risks within cloud environments. The rule inspects CloudTrail logs for any instances where the user agent indicates the presence of TruffleHog, marking these occurrences for further investigation to ascertain whether their use is sanctioned or malicious. The rule is categorized with a medium severity level to prioritize its monitoring and response efforts due to the potential implications of unauthorized access.