In the context of AWS security, detecting unauthorized access to an account is crucial. This can occur when a third-party tool is granted access to monitor infrastructure or optimize bills, making it hard to track due to permission models. Datadog Cloud SIEM offers a solution by automatically detecting when a user assumes a role, allowing teams to investigate and take action before the threat propagates further. The platform analyzes log data over a chosen period to establish a baseline of expected behavior, generating Security Signals for anomalous activity. By setting up a term-based rule, teams can be alerted whenever an unfamiliar AWS account assumes a role in their environment, enabling swift investigation and response.