This detection rule identifies potential anomalies in AWS EC2 instance modifications by monitoring for instances being altered by previously unseen users. The implementation involves querying AWS CloudTrail logs for EC2 modification API calls and cross-referencing them with a historical lookup of previously observed user actions. The rule is designed to flag any new user modifications that occur within a specified timeframe, indicating a need for further investigation. The rule has been marked as deprecated, encouraging users to adapt the functionalities through the latest Change Datamodel for improved efficacy. Implementing this rule requires the AWS App for Splunk and its associated add-ons, along with periodic updates of the log history to ensure accuracy.