This detection rule monitors AWS IAM (Identity and Access Management) user creation events by analyzing logs generated by AWS CloudTrail. When an IAM user is created, this rule gets triggered, which can signify internal modifications to the AWS account’s permissions or a potentially unauthorized user addition. The rule is essential for maintaining security by ensuring that new user accounts are validated against authorized personnel. If the user is created by someone who does not have sufficient privileges, this could indicate suspicious activity requiring further investigation. Security teams are advised to check whether the IAM user creation aligns with company policies and compliance standards, as unauthorized user accounts can pose significant security risks.