This detection rule aims to identify the creation of AWS Route Tables, a critical aspect of managing network traffic within AWS environments. Route Tables can be vulnerable to malicious activities where adversaries might create unauthorized routes to reroute traffic for data exfiltration or other malicious purposes. By monitoring AWS CloudTrail logs, this rule captures events pertaining to the successful creation of Route Tables, specifically looking for event actions like CreateRoute and CreateRouteTable, and correlating them with user identities and roles. Investigative steps include reviewing AWS CloudTrail logs, examining the IAM roles associated with the creation, evaluating the configurations of newly created Route Tables for unauthorized entries, and cross-referencing with other network security data. Regular false positive scenarios include routine updates, automated processes, and legitimate changes by authorized personnel, each requiring careful consideration and potentially exempting known activities from alerts. Immediate actions in response to an alert include isolating the affected resources, performing audits of IAM access, and updating security procedures to mitigate risks of unauthorized network configurations.