This rule is designed to detect instances of the CreateInstances event occurring within the AWS Lightsail service, which is commonly exploited by threat actors to establish virtual private servers for hosting malicious activities. The detection mechanism employs Splunk to retrieve relevant data, utilizing the `get_cloud_data` and `get_cloud_data_aws` commands to extract CreateInstance terms specifically from the Lightsail API. The output is structured in a table format, aggregating events into 1-second bins to facilitate timely detection of potential misuse. The statistics of these events, combined with IP geolocation and DNS lookups, provide context to source IP addresses that may be associated with malicious actors. By correlating event data collected from AWS CloudTrail logs, this rule aims to highlight suspicious instances of AWS Lightsail usage indicative of initial access attempts by unauthorized accounts or compromised credentials.