The 'GuardDuty Alert' rule aggregates all built-in Amazon GuardDuty alerts into a single detection search, utilizing Splunk for data analysis. It retrieves cloud-related data specifically from AWS GuardDuty sourcetype logs. By leveraging various fields from the BodyJson of these logs, the rule extracts critical details such as descriptions of security findings, action types involving network connections, access keys, and user identification information. The resulting data is formatted into a structured table which includes timestamps, host identification, user details, and relevant cloud service activities. This facilitates timely and effective responses to potential security threats identified through GuardDuty, ensuring that security teams can assess risks associated with account validity and network activities. The rule also captures various risk techniques associated with cloud account management, persistence, and evasion tactics, thereby enhancing overall situational awareness within the cloud environment.