This detection rule identifies unauthorized uploads to AWS Elastic Container Service (ECR) by monitoring AWS CloudTrail events, specifically looking for instances where a new container image is uploaded by a user not previously recognized as authorized. The detection is important as unauthorized container uploads can signify potential compromises or misuse, threatening the security of an organization's cloud environment and leading to possible data breaches or deployment of malicious containers. The rule operates by analyzing CloudTrail logs through the Amazon Security Lake data lake, leveraging specific search queries that filter out known users and count events by user and source IP. This allows security teams to quickly identify and investigate suspicious activities, mitigating risks associated with unauthorized access and container manipulation.