This detection rule is focused on identifying new API calls made by user roles in an AWS environment that have not been seen before or within the last hour. It specifically targets API calls made by identities of type `AssumedRole` using AWS CloudTrail logs. The rule employs a series of searches to capture various attributes of the API calls, including the event name and username associated with each call. Initially, it utilizes a search to retrieve API call logs and compares them against a list of previously seen API calls stored in a lookup file. The rule then evaluates these logs to determine if any API calls from user roles are new within a specified time frame—specifically, within the last 70 minutes. The outputs include the event name and details about the user roles involved in these calls, allowing for further investigation of potentially anomalous activity.