This detection rule is designed to identify when an AWS Route53 private hosted zone is associated with a Virtual Private Cloud (VPC). This association can be a legitimate administrative action, but can also indicate malicious intent if unauthorized changes are made to DNS routing. The rule leverages CloudTrail logs to capture successful association actions (`AssociateVPCWithHostedZone`) within a specified timeframe (last 60 minutes). The rule is configured to run every 10 minutes, using a query written in KQL to filter events related to Route53. When triggered, the rule raises a low severity alert with a risk score of 21, indicating that while the activity may not immediately imply an attack, it warrants investigation to ensure no unauthorized associations are being made. The rule includes a comprehensive triage and analysis section, detailing investigation steps, potential false positives, and response measures. It points out common reasons for false positives, including routine infrastructure changes or automated deployment scripts, and urges users to clearly document and manage authorized VPCs to minimize unnecessary noise in the alerting system. A reference to the relevant AWS documentation is also provided for further guidance.