This detection rule identifies AWS console login events made by users from new geographical locations by analyzing the AWS CloudTrail logs. The detection compares the location of the login against a predefined list of previously recorded user locations, stored in a lookup file. If a user logs in from a city not previously associated with their account within the last hour, it is flagged as a potential risk, indicating possible credential compromise. The rule utilizes the `iplocation` command to determine the city from the source IP address of the login attempt. This is critical for SOC teams to monitor since unexpected login locations raise red flags about unauthorized access attempts. Effective implementation requires the baseline of known user locations to be established, ensuring that alerts are actionable and relevant. False positives may occur with legitimate new user logins, hence verification of account age and usage is advisable.