This detection rule is designed to identify the creation of cloud instances in unused or unsupported AWS regions, which can be a tactic employed by adversaries to evade detection and operate undetected within a cloud environment. The main threat comes from compromised accounts that manage cloud resources, allowing malicious users to provision resources in regions that are not closely monitored or typically used by the organization. The rule leverages querying AWS CloudTrail logs, focusing on event data from the last two hours to quickly identify any suspicious activities related to region usage. It requires configuring an allowlist via the avl allowlist macro to filter out legitimate usage patterns. Careful monitoring of these events can aid organizations in identifying potential security breaches and taking appropriate responsive actions.