This rule identifies suspicious activity regarding the creation of EC2 instances with previously unseen instance types using AWS CloudTrail logs. By leveraging Splunk's tstats command, the rule analyzes the Change data model to detect any instance types that have not been previously recorded. Such activity could signify unauthorized attempts to create instances for malicious purposes, such as data exfiltration, unauthorized access, system compromise, or service disruption. This rule requires immediate investigation when triggered to ensure that the created instance is legitimate and not indicative of malicious intent.