The detection rule 'Monitor Unauthorized API Calls' is designed to identify unauthorized API calls made within AWS environments, specifically tracked through AWS CloudTrail logs. Unauthorized actions are flagged based on the 'AccessDenied' error codes returned during API calls. The rule operates by monitoring CloudTrail events for specific attributes, including event names, user agents, source IP addresses, and recipient account IDs. When an unauthorized API call occurs, the rule captures detailed information about the event, which includes the user's identity and time of the event. The rule is set to report information severity alerts, meaning it provides insights without triggering immediate alerts. It can be customized to trigger alerts after a certain threshold of 20 unauthorized calls within a 1440 minutes deduplication window. This detection mechanism helps security teams keep track of potential misconfigurations or unauthorized access within AWS by maintaining a record of all CloudTrail logs when certain error conditions are met. The rule is supported by operational runbooks for incident response and remediation documentation.