The Decoy DynamoDB Accessed rule is a high-severity detection mechanism for AWS accounts, designed to identify unauthorized or unusual accesses to a private decoy DynamoDB table, specifically the table with ARN arn:aws:dynamodb:us-east-1:123456789012:table/Panther-DataTable. It utilizes AWS Security Finding Format logs to monitor access activity and raise alerts when access is detected. The rule leverages specific properties of AWS API calls, particularly those involving the 'Scan' API operation, to determine if a legitimate or non-legitimate actor has engaged with the DynamoDB resource. The rule's analysis focuses on attributes such as the AWS account ID, action type, and user identity involved in the access attempt. By deploying this rule, security teams can gain insights into potentially suspicious behavior and respond accordingly.