This detection rule identifies modifications to the list of trusted IP sets utilized by AWS GuardDuty and Web Application Firewall (WAF). Changes to these IP sets can indicate a potential attempt to evade security monitoring by disabling alerts related to malicious IPs. The rule is activated upon creation or updating of an IPSet within the AWS environment, specifically observing CloudTrail logs for events such as 'CreateIPSet'. The rule provides a mechanism to flag unauthorized modifications that may compromise security postures of AWS environments by allowing untrusted IPs to operate without alerts. It employs a high severity rating due to the critical nature of trusted IP management in maintaining security efficacy. Additionally, a deduplication period of 60 minutes is applied to prevent repeated alerts for the same event. Each test checks for expected results correlating to the aforementioned IP set activities and alerts on discrepancies, effectively safeguarding the integrity of AWS security infrastructure.