This detection rule monitors new user login attempts to the AWS console by analyzing AWS CloudTrail events. It utilizes a lookup file that contains previously seen user account names (ARN values) to differentiate between first-time login events and those of users with established logins. The rule is critical as it helps identify potentially unauthorized access attempts; newly created user accounts logging into the AWS console could indicate account creation or compromised accounts attempting to gain access to sensitive AWS resources. The detection process involves tracking login events and comparing them to a database of recognizable users, allowing organizations to respond to suspicious activities promptly. This rule is part of a larger framework designed to enhance cloud security monitoring by detecting anomalies in user login patterns. As cloud environments become more dynamic and user provisioning more common, the risk of unauthorized access escalates, making this detection increasingly relevant.