This detection rule identifies the creation of cloud compute instances in regions that have not been previously used within the last hour. It utilizes AWS CloudTrail logs to track new instance creation activities and cross-references this data with a lookup table of previously utilized regions. The emergence of new instance creation in unexplored regions can signify potential unauthorized access or misuse by an attacker attempting to avoid detection or establish control in less scrutinized domains. Such behaviors may result in unauthorized resource consumption, data leakage, or a compromise of the security posture of the cloud environment. By monitoring these activities, administrators can act swiftly to investigate and mitigate potential security risks.