This detection rule is designed to identify situations where EC2 instances are started by users who have not previously launched instances in the AWS environment. It utilizes AWS CloudTrail logs to monitor the 'RunInstances' event, cross-referencing user activity against a lookup table that maintains records of previously seen EC2 launches per user. When a new user is detected based on the time parameters defined in the search query, the system flags this activity, highlighting potentially unauthorized or suspicious behavior. This rule emphasizes a proactive approach to monitoring AWS instance activity and user behavior, but it's worth noting that this specific rule has been deprecated and replaced by a more efficient mechanism utilizing the Change Datamodel in AWS data tracking. Analysts will need to verify user intentions when exceptions are flagged, as there may be legitimate reasons for new users to launch instances.