This detection rule is designed to identify when a transfer lock is removed from a Route 53 domain in AWS. The transfer lock is a security feature that prevents unauthorized transfer of domain names. Removing this lock can expose a domain to potential hijacking risks, thereby allowing adversaries to control web traffic or disrupt services. The rule specifically monitors the CloudTrail logs for events where the lock is disabled, alerting analysts to possible unauthorized changes. Investigating these events involves checking CloudTrail logs for the responsible user or account, verifying the legitimacy of the action, and considering the larger security implications. Proper management of domain transfer locks is critical for maintaining the integrity of domain ownership.