This detection rule for AWS CloudTrail focuses on identifying account discovery attempts by adversaries. According to MITRE techniques, adversaries may seek to enumerate valid accounts within an AWS environment. The detection rule monitors specific API calls, particularly `DescribeAccount`, `GetAlternateContact`, and `GetContactInformation`, to capture these discovery activities when they occur. The rule specifies details such as the expected event names and characteristics of legitimate activities within AWS accounts. Events are validated based on their attributes, such as AWS region, event ID, and source IP address, to determine whether they match pre-defined criteria that indicate potential intelligence-gathering behavior by adversaries. This detection does not create alerts but logs relevant information for auditing and monitoring purposes. The rule's implementation aids security teams in recognizing attempts at unauthorized account enumeration, thus enhancing overall cloud security posture.