This detection rule focuses on identifying AWS provisioning activities that originate from cities that have not been previously seen in correlation with AWS resources. It considers provisioning events broadly defined by the initiation verbs 'Run' or 'Create'. The rule operates by utilizing AWS CloudTrail logs and the IP location of source IP addresses to derive the city of the request. A secondary search identifies known provisioning sources to determine if the event comes from an established or new city. The detection relies on the MaxMind GeoIP database to resolve the geographic location, which can introduce noise into the results. Since this rule is designated as deprecated, it encourages users to utilize the latest Change Data Model for improved accuracy and relevance. The implementation requires specific versions of AWS and Splunk applications, highlighting the need for proper configuration to ensure the effectiveness of this search. It is noted that while there are no traditional false positives, users may encounter high volumes of alerts due to the nature of the geolocation data in use.