This detection rule identifies instances when an AWS Simple Notification Service (SNS) topic is created by a user who does not typically perform this action. The creation of SNS topics can be a tactic employed by adversaries to stage capabilities for data exfiltration or other malicious operations. This rule utilizes a new terms detection method to flag such activities only when they are observed for the first time within a ten-day historical window. It examines relevant user identity, context, and associated API actions to determine any suspicious intent behind the creation of the SNS topic. The rule also provides guidance for investigating such events, including identifying the user and their typical behavior, evaluating the SNS topic’s creation, and analyzing potential malicious patterns based on historical logs and associated API calls. Alongside this, the rule addresses possible false positives and offers response and remediation strategies to ensure responsible handling of legitimate use cases.