This detection rule is designed to monitor and identify instances where an abnormal number of Google Cloud Platform (GCP) compute instances are created within a specified time frame. By utilizing GCP audit logs, this rule analyzes events where the 'compute.instances.insert' action is logged, indicating new instance creation. It collects data for each event, including the _time, host, user, event_name, account, resource_id, action, ACL permissions, user type, source IP, HTTP user agent, bucket name, log message, cloud region, and vendor product. The detection logic aggregates events by the account responsible for the instance creation over a window of 300 seconds. If the count of such events exceeds 10 during this period, it triggers an alert. This rule is essential for identifying potential abuse or misconfiguration in the cloud environment, as the creation of too many instances in a short amount of time can indicate resource hijacking attempts. The rule leverages a combination of real-time data collection and efficient temporal event grouping to ensure timely detection of anomalous behaviors in GCP resources.