The detection rule targets the malicious activity associated with AWS EC2 instances specifically during the launch of new instances. It focuses on the 'RunInstances' API call from AWS CloudTrail logs to identify when and where new EC2 instances have been launched. Threat actors, such as Scattered Spider (also known as Muddled Libra, Scatter Swine, and UNC3944), may exploit this functionality to launch suspicious Amazon Machine Images (AMIs) or provision large instances as part of cryptojacking operations. By monitoring events where an EC2 instance is initiated within the last two hours, this rule aims to proactively detect potentially unauthorized usage of cloud resources before they can be exploited for nefarious purposes. The query uses Snowflake SQL syntax to extract relevant events, thereby helping security teams respond to potential threats in a timely manner.