This detection rule identifies the registration of a new Multi-Factor Authentication (MFA) method for an AWS account, which can be a critical security event indicating unauthorized access. The rule monitors the AWS CloudTrail logs through Amazon Security Lake (ASL) for the `CreateVirtualMFADevice` API operation. This activity is particularly relevant because attackers often attempt to create new MFA devices after compromising an account, thus establishing a foothold that complicates remediation efforts. The rule aggregates relevant data by counting occurrences and summarizing first and last event timestamps while normalizing field names for clarity (e.g., transforming URLs, user IDs, and IP addresses into more readable formats). The detection requirement includes the ingestion of AWS CloudTrail logs into Splunk and making use of the designated search query to highlight these suspicious MFA registrations. Existing known false positives may arise from legitimate users registering MFA devices for the first time, necessitating careful tuning of alerts in operation.