This detection rule monitors AWS EC2 modifications to ensure they occur solely through expected automation methods. It triggers alerts for changes made directly through the EC2 interface not initiated by automation solutions (e.g., AWS Auto Scaling). The detection ruleset reports on specific management events from CloudTrail, focusing on actions like 'TerminateInstances' that are typical of manual user modifications. This is critical in identifying unauthorized access or accidental changes to the compute infrastructure. The rule is designed to provide context for alerts, enabling security teams to efficiently respond to potential threats while minimizing false positives through a robust testing suite that includes automatic exclusion of actions initiated by AWS's own services. Additionally, the alerting can be tuned to reduce noise in environments heavily employing EC2.