LoFP / administrators or automated systems may legitimately perform multiple `describe` and `list` api calls in a short time frame. verify the user identity and the purpose of the api calls to determine if the behavior is expected.

from logs-aws.cloudtrail*

// create time window buckets of 10 seconds
| eval time_window = date_trunc(10 seconds, @timestamp)
| where
    event.dataset == "aws.cloudtrail"

    // filter on CloudTrail audit logs for IAM, EC2, and S3 events only
    and event.provider in (
      "iam.amazonaws.com",
      "ec2.amazonaws.com",
      "s3.amazonaws.com",
      "rds.amazonaws.com",
      "lambda.amazonaws.com",
      "dynamodb.amazonaws.com",
      "kms.amazonaws.com",
      "cloudfront.amazonaws.com",
      "elasticloadbalancing.amazonaws.com",
      "cloudfront.amazonaws.com"
    )

    // ignore AWS service actions
    and aws.cloudtrail.user_identity.type != "AWSService"

    // filter for aws-cli specifically
    and user_agent.name == "aws-cli"

    // exclude DescribeCapacityReservations events related to AWS Config
    and not event.action in ("DescribeCapacityReservations")

// filter for Describe, Get, List, and Generate API calls
| where true in (
    starts_with(event.action, "Describe"),
    starts_with(event.action, "Get"),
    starts_with(event.action, "List"),
    starts_with(event.action, "Generate")
)
// extract owner, identity type, and actor from the ARN
| dissect aws.cloudtrail.user_identity.arn "%{}::%{owner}:%{identity_type}/%{actor}"
| where starts_with(actor, "AWSServiceRoleForConfig") != true
| keep @timestamp, time_window, event.action, aws.cloudtrail.user_identity.arn
| stats
    // count the number of unique API calls per time window and actor
    unique_api_count = count_distinct(event.action) by time_window, aws.cloudtrail.user_identity.arn

// filter for more than 5 unique API calls per time window
| where unique_api_count > 5

// sort the results by the number of unique API calls in descending order
| sort unique_api_count desc