This detection rule identifies potentially unauthorized access to Amazon S3 buckets through detection of access requests from new or previously unseen IP addresses. By leveraging S3 bucket-access logs with a focus on successful access events (where HTTP status equals 200), this rule aims to highlight access attempts that could signify unauthorized access or data exfiltration risks. The search correlates logs to track both new and previously known IP addresses attempting to access specified S3 buckets. If access from a new IP is found, it raises an alert, which could indicate a threat to sensitive data stored in the bucket. To enhance accuracy, the setup recommends prior execution of a support search to build a historical baseline of IPs associated with the final S3 access logs.