This detection rule identifies new user account creation events across multiple logging platforms including OneLogin, AWS CloudTrail, and Zoom. It is aimed at ensuring that newly created accounts are justified and fall within standard operational practices. The rule captures various unique identifiers such as user names, event types, and log types to correlate these events. In particular, it leverages the MITRE ATT&CK technique T1136, which deals with the creation of accounts as a potential persistence mechanism by threat actors. The severity is marked as 'Info', indicating that while account creation is a standard operation, monitoring for unusual or unauthorized account creations is critical for maintaining security. The runbook provides guidance to validate the purpose of the created account.