This rule detects the first occurrence of an EC2 instance role session invoking AWS STS GetCallerIdentity from a source Autonomous System (AS) organization name that is new for the observed IAM principal. It targets the combination of aws.cloudtrail.user_identity.arn and source.as.organization.name within a 10-day history window, triggering on the first observation of that pair and suppressing subsequent alerts for the same role as it continues to use a stable egress AS organization (e.g., NAT or provider label). The intent is to identify potential credential theft or over-usage of instance role credentials when they are validated from unusual or new network origins, while reducing noise from normal, repeated activity by baselining identity with source network context. The rule is tuned to alert on new source networks for EC2 roles rather than every GetCallerIdentity call from any source, and to correlate with other indicators (e.g., user_agent.original, access_key_id) for triage. Triage and analysis are provided to confirm assumed-role activity, map instances to accounts and VPCs, and assess expected egress. The rule aligns with identity and access audit use cases and leverages MITRE ATT&CK Discovery (Cloud Account) to contextualize potential reconnaissance or credential misuse. False positives can arise from new instances/roles, NAT or IP renumbering, or GeoIP enrichment changes; remediation focuses on credential rotation, tightening trust, and investigating initial access vectors. Possible investigation steps include validating the assumed-role ARN and instance ID, cross-referencing source organization with historical identity data, checking user_agent.original for tooling inconsistencies, and correlating with alerts from the same access_key_id or instance over the prior 48 hours. If credential compromise is suspected, revoke sessions, reconfigure instance roles, rotate long-lived secrets, and tighten IAM permissions. For additional context, consult GetCallerIdentity API docs and related AWS security guidance.