This rule detects modifications to security groups associated with Elastic Load Balancers (ELBs) and Application Load Balancers (ALBs) on AWS. Changes to these security groups may signify that a misconfiguration is allowing excessive traffic into the system, potentially increasing vulnerability to attacks. Alternatively, such adjustments could indicate that an attacker is attempting to open up new connections within a Virtual Private Cloud (VPC) or subnet. The rule specifically looks for two key CloudTrail events: 'ApplySecurityGroupsToLoadBalancer' and 'SetSecurityGroups', both associated with the Elastic Load Balancing service. The detection action is triggered when either of these events occur, indicating that something within the firewall-like configuration of the load balancer has changed. Organizations should be particularly vigilant about such events as they may compromise the security posture of their applications. False positives can occur when legitimate changes are made for the purposes of repurposing an ELB/ALB for different applications, or when security groups are modified to deploy new services.