The rule detects unauthorized attempts by threat actors to obtain temporary AWS credentials through the GetFederationToken API. This API allows users to request temporary security credentials for access to AWS resources, a process that if abused, can enable access without relying on long-term credentials, complicating detection efforts. The implemented logic for this detection uses AWS CloudTrail logs to track specific characteristics of requests to the GetFederationToken API, including user details, source IP addresses, and associated permissions. The detection seeks to identify potential initial access, privilege escalation, or persistence activities within AWS environments that may indicate a security compromise. Various facets of the request are analyzed, and aggregated statistics by user and time are generated to identify anomalous patterns that align with known threat behavior.