This detection rule identifies when the code of an AWS Lambda function is updated, which may signify a potential security risk. It specifically looks for events logged by AWS CloudTrail that correspond to calls for updating Lambda function code. The rule is enabled and categorized under the MITRE ATT&CK technique TA0007:T1078, associated with account permissions and access. The severity level is classified as Medium, indicating that while such activities can be legitimate, they could also be indicative of unauthorized changes or behavior, warranting further investigation. The runbook provides guidance on verifying event details and determining if further action is necessary based on the legitimacy of the event.