This detection rule identifies the creation of new images in Google Cloud Platform (GCP) by monitoring audit logs for the event type 'compute.images.insert'. This event indicates a new image has been created in the compute engine, which could signify the deployment of a new virtual machine instance or a potential security concern where an unauthorized image is made. The rule leverages GCP audit logs to capture the relevant activities, specifically looking at the event name associated with image creation. By analyzing key fields such as timestamp, host, user, source IP, and more, this rule provides visibility into potentially malicious activities that involve creating new VM images which can be part of a broader persistence technique (T1525). The aggregated data is then presented in a structured format for easier analysis and response.