This rule detects when a new network route is added to a route table in AWS using CloudTrail logs. By monitoring events specifically from the EC2 service with the event name 'CreateRoute', this detection helps identify potential unauthorized modifications to network configurations which could represent a security risk, such as attackers seeking to redirect traffic. The condition is straightforward: any occurrence of the specified event source and name triggers a notification. This can often be part of an attacker’s initial access phase, especially aligned with tactics and techniques mapped to MITRE ATT&CK, specifically T1190 (Manipulation of Control Plane). The rule supports compliance and security posture by ensuring such significant changes are logged and analyzed. However, there are false positives to consider, such as legitimate VPC creation or subnet additions that require new routes to be established. The rule is tagged with attack detection categories, indicating its relevance in understanding and mitigating initial access threats.