This detection rule focuses on identifying cloud provisioning activities that originate from previously unseen countries. The analytic utilizes AWS CloudTrail logs to track actions of starting or creating cloud instances, checking the geographic origin of the IP addresses involved. Such activities often signify potential unauthorized access or compromises, as attackers could exploit cloud resources for malicious purposes. The detection implements a baseline comparison against known geographic locations to identify anomalies. If the sourcing IP does not match previously observed countries, it prompts further investigation to assess the legitimacy of the actions, as unauthorized provisioning can lead to data breaches, service disruptions, or further infiltrations. The rule generates alerts based on successful provisioning actions flagged from unknown geographical locations, thus adding an important layer of security to cloud operations.