This detection rule identifies the activity of an adversary creating a database snapshot within an AWS cloud environment, which is a technique often used to evade security mechanisms. The logic employs the use of AWS CloudTrail logs to monitor for the API event name 'CreateDBSnapshot'. By analyzing relevant fields, such as user identity, source IP address, and associated request parameters, security teams can gain insights into potentially unauthorized or malicious actions taken by users within a cloud account. Specifically, the rule captures the API call, records metadata such as timestamp and user details, and enriches the data with DNS resolution and geolocation information for improved context. The use of binning for time intervals and stats aggregation allows for effective analysis of multiple events, potentially highlighting any patterns or anomalies that signify a security threat. This enhances the cloud security posture by enabling real-time detection of evasive actions against security policies.