This rule detects the creation of new user accounts in Crowdstrike by monitoring event streams for specific authentication activity. When a new user is created, an event is logged that includes details like the user ID, operation name, and service name. Specifically, it checks for events with the operation name 'createUser' to confirm a legitimate new user creation. If such an event occurs, it results in an informational alert. The rule is designed to run with a threshold of one, meaning it will trigger for each new user event detected without creating excessive alerts given that it is marked for informational severity. The deduplication period of 60 minutes prevents repeated notifications for the same user creation event during consecutive runs. As per the rule, it is necessary to confirm the validity of the new user when an alert is generated. It does not create an automatic alert but logs the event for review. The rule also incorporates test cases to validate correct operation: one for expected new user creation and another to ensure unrelated events are not flagged erroneously.