This analytic detection rule identifies instances of cloud compute resources being created with previously unseen images, which can indicate potential malicious activities or unauthorized access. It leverages AWS CloudTrail logs to track newly created image IDs associated with the instances. The rule focuses on the timing and legitimacy of image usage, particularly scrutinizing those images that have not been recognized previously. Given that unresolved instances created with suspicious images could lead to serious security incidents, such as data breaches or unauthorized access to sensitive cloud information, it is imperative that this activity is closely monitored and investigated swiftly. To implement the detection, organizations must ingest relevant cloud logs and maintain a baseline of known safe images through regular updates, ensuring any new image visibility triggers an alert for further evaluation and action.