This detection rule identifies instances where a new IAM user is created within an AWS account, which could be indicative of unauthorized access or privilege escalation by malicious actors. The logic relies on querying AWS CloudTrail logs for the 'CreateUser' event occurring within the last two hours. Since attackers may exploit IAM resources to gain higher access levels by creating new users, monitoring this event can help in detecting potential threats early. The rule is linked to various threat actors and is associated with technique ID T1136.003 under the MITRE ATT&CK framework, which emphasizes the persistence aspect of creating cloud accounts. The rule is designed for environments where AWS CloudTrail logs are enabled, and includes important references for further reading on the subject.