This detection rule is designed to identify unauthorized AWS console login attempts from new geographical regions that have not been previously accessed by a user. By leveraging AWS CloudTrail events, the rule maintains a record of each user's login history, comparing recent login attempts against a baseline of known regions in which that user has previously logged in. If a user's latest login is from an unfamiliar region, it may signify a potential security breach, such as credential compromise. The detection utilizes the Splunk platform for analytics, specifically engaging the `Authentication` data model to collate login records and perform IP geolocation to determine the region of each login attempt. It generates alerts to investigate further if a user logs in from a new region within a timeframe indicating a suspicious pattern of access, allowing organizations to safeguard against unauthorized access and potential data breaches.