This detection rule identifies SAML access events in AWS environments, particularly focusing on the `AssumeRoleWithSAML` events as recorded in AWS CloudTrail logs. By examining key parameters such as `principalArn`, `roleArn`, and `roleSessionName`, the rule seeks to uncover anomalous access patterns that may suggest credential hijacking or improper access by federated users. The ability to assume roles can enable malicious actors to gain unauthorized access to AWS resources, making detection crucial for preventing data breaches. The rule utilizes statistical analysis of access metrics and can provide alerts based on the behavior of AWS users, thus aiding in securing AWS environments against sophisticated attacks relevant to SAML protocol usage and federated authentication.