This rule detects potential abuse of AWS GetSigninToken to obtain a federated console session using temporary STS credentials. It targets GetSigninToken calls originating from non-SSO user agents, which can indicate an attacker converting compromised long-term or temporary credentials into a federated console session, thereby bypassing MFA and obscuring the original access key. The detection analyzes CloudTrail signin events (signin.amazonaws.com) for GetSigninToken API calls, focusing on sessions tied to assumed roles, and flags activity that diverges from legitimate SSO portal usage. Key signals include non-SSO user agents (e.g., generic HTTP clients), unusual source IPs, and atypical patterns around the associated ARN/accessKeyId. The rule supports threat-hunting by correlating with other alerts from the same credentials within the past week and correlating with related ConsoleLogin/console-based actions in a six-hour window around the event. It includes scenario-based tests to differentiate suspicious activity from legitimate SSO usage and normal sign-ins, reducing false positives when matched against known legitimate tokens. The rule is aligned with MITRE ATT&CK notations TA0008:T1021.007 and TA0005:T1550.001, and provides a practical runbook for investigation and context gathering. It uses a 60-minute dedup window and requires at least one matching indicator to trigger a alert (Threshold: 1). Reference documentation and examples guide analysts in validating the event’s legitimacy and understanding potential credential abuse.