The rule identifies AWS provisioning activities originating from previously unseen regions, defined as geographical areas where provisioning events have not been historically recorded. This is particularly relevant for events starting with 'Run' or 'Create' in AWS CloudTrail logs, as these indicate resource creation or invocation actions in the AWS environment. The rule utilizes IP geolocation to assess whether the source IP addresses associated with these activities correspond to new regions not seen in prior occurrences. It is noteworthy that the rule has been deprecated in favor of the latest Change Datamodel, suggesting users transition to updated methodologies for monitoring AWS provisioning events. Due to its behavioral nature, the rule may generate noise, with its effectiveness potentially diminishing in regions with low resolution in MaxMind’s GeoIP database, leading to many benign events triggering alerts. Users should ensure the AWS App for Splunk is installed and configure AWS CloudTrail inputs for optimal functionality.