This detection rule identifies AWS console logins by users originating from previously unseen countries, utilizing AWS CloudTrail events for monitoring. The rule effectively matches login attempts against a lookup file that contains historical user login locations, enabling the identification of potentially suspicious activities. This approach is vital as unauthorized logins from new countries could signify account compromises or malicious access, ultimately risking sensitive AWS resources and data exfiltration. The rule demands proper implementation of the Splunk Add-on for AWS and relies on updated data models to track user behavior accurately. The implementation process includes creating initial baselines for known users and regularly updating these baselines to ensure correct detection functionality. The rule also provides insights into known false positives, which can occur when legitimate users log in from new locations, necessitating careful verification of their activity.