This rule is designed to detect the first instance of an AWS CloudFormation stack creation attempt by a user or role over the past ten days. The focus is on monitoring the `CreateStack` and `CreateStackSet` API calls, which enable the creation of AWS resources based on defined templates. Such actions, if taken unauthorizedly, may lead to the deployment of resources that could facilitate further attacks or exploitation of the Cloud environment. The detection is conducted on data gathered from AWS CloudTrail logs, specifically targeting events where the action on CloudFormation results in a success. To mitigate false positives, there are suggestions for exempting known legitimate behaviors and adjusting the history window for expected activities. This rule emphasizes early detection of potentially unauthorized use of AWS resources, allowing administrators to promptly investigate and respond to possible suspicious activities that could impact the security of their AWS environment.