The AWS EC2 Manual Security Group Change rule is designed to detect unauthorized modifications to EC2 security groups that do not adhere to approved organizational processes. Specifically, it expects changes made through recognized channels such as the AWS Console, AWS CloudFormation, or Terraform. This detection utilizes logs from AWS CloudTrail to monitor relevant events and raises alerts if security groups are updated manually outside these predefined methods. The rule includes considerations for event types associated with both permitted and unauthorized changes, as well as specific actions (e.g., 'AuthorizeSecurityGroupIngress') that are evaluated against allowed user agents set in the rule's configuration. It aids in ensuring compliance with security protocols, thereby supporting prevention of unauthorized access or defense evasion.