This rule is designed to detect API activity in AWS cloud environments specifically from users who have not enabled Multi-Factor Authentication (MFA). It leverages AWS CloudTrail events to identify when users log into an AWS account and perform API calls, indicating a potential security risk due to the absence of MFA. The detection query filters for `mfaAuthenticated=false`, essentially capturing users operating without the additional security layer that MFA provides. AWS best practices emphasize the importance of MFA for privileged Identity and Access Management (IAM) users to mitigate unauthorized access risks. Additionally, this rule integrates service account validation by excluding known service accounts from detection to reduce false positives. Implementing this rule requires the AWS App for Splunk and corresponding configurations, as well as additional steps to display relevant event metadata within the incident management system.