The AWS Lambda CreateFunction API call enables users to create new Lambda functions in their AWS account, which can include defining the function's code, runtime, and other settings. However, threat actors can exploit this API to ensure persistence or execute arbitrary code by deploying harmful or malicious Lambda functions. This could be achieved using compromised credentials, facilitating a broader attack methodology aimed at maintained access within the AWS environment. This detection rule identifies occurrences of the CreateFunction API call in CloudTrail logs to alert administrators about potentially unauthorized or malicious usage. The provided Splunk logic queries relevant CloudTrail logs for the CreateFunction event name, aggregates the results over time, and enriches the data with additional information such as DNS resolution and geographical location of the source IP. Admins can use this information to assess any new Lambda functions that may not adhere to organizational policies or seem suspicious in nature.