This detection rule monitors AWS Security Groups, specifically focusing on egress rules. Egress rules define the outbound traffic permissions for instances within a security group, allowing them to communicate with external IP addresses or other associated security groups. The rule captures events from AWS CloudTrail, executed within the previous two hours, when a user invokes the 'AuthorizeSecurityGroupEgress' API action to add an egress rule. This is critical for maintaining the security posture of an AWS environment, as unauthorized or unexpected changes to egress rules can lead to data exfiltration or compromised access controls. The rule employs a Snowflake SQL syntax to query the relevant AWS CloudTrail logs for authorization events related to egress rule modifications.