This detection rule monitors AWS Elastic Container Registry (ECR) for the uploading of new container images by users that are not recognized as authorized personnel. It utilizes AWS CloudTrail logs to capture `PutImage` events from the ECR service and specifically filters out those actions executed by known users. The underlying assumption is that container image uploads should predominantly be managed by a defined circle of authorized individuals; hence, any actions by unknown users stand out as potentially malicious. If an upload event is identified as unauthorized, it may indicate a security breach, with risks such as the deployment of compromised containers, unauthorized data access or manipulation, and additional security implications across the AWS infrastructure. The rule categorizes the severity of such incidents as high, facilitating immediate attention and response from security teams.