This detection rule identifies anomalous behavior in Amazon Web Services (AWS) environments, specifically when a user launches an unusually high number of EC2 instances. The rule utilizes AWS CloudTrail logs to monitor for events where the `RunInstances` command is invoked successfully. By analyzing these events, it performs statistical calculations over a defined time period (10 minutes), computing the average and standard deviation of instances launched by each user. The outlier detection logic flags cases where the number of instances launched by a user exceeds the average plus a specified threshold (in this case, four standard deviations). This approach aims to highlight potential misuse or unintended consequences of cloud resources, such as those associated with cryptomining activities or unauthorized provisioning.