This detection rule identifies when a Lambda Layer is added to an existing AWS Lambda function, which can indicate unauthorized persistence mechanisms or execution of malicious code within the function. Lambda layers are meant for sharing code and data, but if misused, attackers can exploit this feature to maintain their presence. The rule collects data from AWS CloudTrail logs over a specified time frame, specifically monitoring for events where layers are published or function configurations are updated. Investigative steps are detailed to verify the legitimacy of such actions and examine who made the changes, the parameters involved, the request origin, the timing of modifications, and any correlating activities that could indicate malicious behavior. If an unauthorized layer addition is detected, immediate actions are suggested to mitigate potential threats, including reversals of unauthorized changes, audits of Lambda functions, and improvements to monitoring systems.