This detection rule flags cross-account AWS Lambda invocations, where a Lambda function is invoked by a principal from a different AWS account than the function’s owning account. It relies on AWS CloudTrail data events for Lambda invocation. The rule extracts the caller’s account from aws.cloudtrail.user_identity.arn and the function’s owning account from aws.cloudtrail.request_parameters, via Esql.caller_account and Esql.function_account. It only considers successful Invoke events with non-null ARNs and ensures the caller and function accounts differ, signaling a cross-account invocation. The query aggregates results by the invoking principal and both accounts, returning counts, source IPs, and involved function ARNs (Esql.invocation_count, Esql.source_ips, Esql.function_arns). The setup requires enabling Lambda data events in CloudTrail and routing them to the detection pipeline. The rule maps to MITRE ATT&CK, under Serverless Execution (T1648) within the Execution tactic (TA0002). The investigation guidance covers validating whether the cross-account relation is legitimate, correlating with AddPermission grants, and examining related activity. False positives include legitimate multi-account architectures or partner integrations; these should be whitelisted or excluded after validation. Remediation if unauthorized includes removing the cross-account resource-policy (RemovePermission), and tightening governance around lambda:InvokeFunction to limit permission to approved accounts and review the function’s execution role and access paths.