This detection rule identifies unusual modifications to AWS security groups performed by users within a 30-minute interval. By analyzing AWS CloudTrail logs, the rule searches for specific actions like modifications, deletions, or creations of security groups. Subsequently, it calculates the average and standard deviation of unique security group interactions for each user and applies a 3-sigma rule to flag anomalies. This is crucial for detecting potential account compromises or insider threats, where unauthorized alterations to security groups could expose sensitive resources or disrupt services.