This analytic detection rule identifies suspicious invocations of the AWS Security Token Service (STS) GetSessionToken API call by analyzing CloudWatch logs. It specifically looks for anomalies in user behavior, focusing on parameters such as source IP, time of event, user identity, and the request's status. The significance of monitoring the GetSessionToken usage lies in the potential for attackers to exploit these tokens to gain unauthorized access and control over AWS environments, facilitating lateral movement and privilege escalation. To implement this rule, operators should be aware that the Sts:GetSessionToken event can generate a significant amount of noise and will need tuning to minimize false positives, making the detection more accurate by leveraging additional filtering criteria.