This rule monitors AWS CloudTrail logs for events related to the revocation of ingress rules from security groups. Ingress rules are critical for managing the flow of incoming traffic to AWS resources, specifically EC2 instances. The logic in the rule utilizes a Splunk query to detect the event when the 'RevokeSecurityGroupIngress' action is logged. Upon detection, it retrieves various attributes including timestamps, user accounts, source IPs, and security group details, which are vital for identifying changes in security postures. Additionally, the rule utilizes DNS lookup for source IPs to enrich the logs and provide geographic context with the `iplocation` function. This rule is vital in capturing unauthorized changes or potential indicators of account compromise in AWS environments, linking to a persistence technique of account manipulation, specifically noted in MITRE ATT&CK as T1098. The effectiveness of this rule hinges on continuous monitoring of changes to security groups, ensuring that any removals of ingress permissions are validated and investigated promptly to prevent security violations.