This detection rule is designed to identify the creation or deletion of AWS Elastic Kubernetes Service (EKS) clusters by monitoring events in AWS CloudTrail. The rule is triggered when the specific event source 'eks.amazonaws.com' generates events for the actions 'CreateCluster' or 'DeleteCluster'. These actions are critical because unauthorized creation or deletion of EKS clusters can lead to security incidents or disruptions in service. The rule is set to a low level of urgency, recognizing that such events may be part of regular administrative tasks. However, it highlights the importance of verifying the legitimacy of these actions, particularly by assessing the user identity, user agent, and hostname involved in the transaction. It also emphasizes that modifications performed by unfamiliar users should be scrutinized for potential unauthorized access or malicious intent. The rule comes with guidance for addressing false positives, indicating that seasoned administrational actions should be distinguished from potential threats.