This detection rule monitors for events where a role has been added to an instance profile in AWS. Specifically, it filters for the AWS CloudTrail event "AddRoleToInstanceProfile", which signifies a modification to an instance profile's roles. By leveraging the cloud data and cloud IAM logs, the rule aggregates relevant fields such as time, user, account, source IP, and other pertinent details into a structured table. It invokes the `get_cloud_data` function to extract necessary logs from AWS CloudTrail and organizes them, allowing security teams to identify unusual account manipulations that could indicate unauthorized changes, especially in scenarios involving persistence techniques. The output includes geographic information derived from the source IP to track where the request originated, potentially aiding in threat attribution.