This analytical rule identifies suspicious cloud provisioning activities that originate from geographic locations not previously seen in the cloud environment. It utilizes AWS CloudTrail logs to track actions related to instance creation and starting, and analyzes the source IP address's geographic location through IP geolocation. By comparing the current activity against a baseline of known locations, the rule can flag potential unauthorized access or misuse of cloud resources. These anomalies may signal that an adversary is exploiting cloud infrastructure from an unexpected location, risking unauthorized resource creation, data exfiltration, or other malicious activities. To effectively implement this rule, it is necessary to maintain an updated database of previously seen provisioning sources and to run baseline searches to minimize false positives due to normal provisioning behavior from different cities, especially if geographical resolution is limited in the utilized GeoIP database.