This analytic rule focuses on detecting the creation of cloud compute instances by users who have not historically performed this action. It utilizes the Change data model to monitor 'create' actions tied to cloud resources, particularly from AWS CloudTrail logs. By establishing a baseline of previous user behavior, it identifies potentially unauthorized activities that could suggest account compromises or misuse. The risk associated with such activities can lead to increased operational costs, unauthorized data access, or malicious exploitation of cloud environments. Given that instances created by new users may symbolize a security threat, this rule aims to flag these instances for additional scrutiny.