This rule, created by Elastic, aims to detect the use of Server-Side Encryption with Customer-Provided Keys (SSE-C) on AWS S3 objects. It specifically identifies instances where adversaries may encrypt objects in an S3 bucket using their own keys, which can lead to a ransomware scenario where access to the data is essentially locked until a decryption key is provided. The rule tracks the behavior for the first time within 14 days, focusing on the user ARN and the targeted bucket name. It activates upon the successful execution of a `PutObject` action in AWS CloudTrail logs, where SSE-C is used. False positives may arise from legitimate cases of SSE-C usage, emphasizing the need for careful investigation and response. The rule outlines investigation steps, including verifying the user identity, examining the targeted bucket, evaluating encryption behavior, and correlating with other events to detect potential malicious activity.