This detection rule identifies the creation of EC2 instances using Amazon Machine Images (AMIs) that have not been previously encountered. It utilizes AWS CloudTrail logs to monitor 'RunInstances' events and leverages lookup tables to compare the AMIs being used against a history of known AMIs. The rule has been deprecated and suggests transitioning to the latest Change Datamodel for accurate threat detection. Users must have the AWS App for Splunk and the Splunk Add-on for AWS installed, and it's recommended to execute a supporting search to populate the lookup with previously seen AMIs. Limited known false positives may occur as new AMIs are utilized post-creation.