This Elastic rule is a new-terms detection that flags the first occurrence of AWS API activity originating from uncommon desktop S3 clients, specifically S3 Browser and Cyberduck, based on the user_agent.original field found in AWS CloudTrail logs (aws.cloudtrail). The rule targets activity from these clients that results in successful API calls, indicating potential bulk data transfers or exfiltration attempts. It uses a first-time (new_terms) approach to identify a unique user within an AWS account accessing CloudTrail-reported S3 resources via these desktop tools, which are rarely used in enterprise environments but have been associated with data theft campaigns. By focusing on the user agent strings for these tools, the rule aims to surface suspicious, otherwise legitimate-looking activity that warrants validation against authorized data transfer workflows.