This anomaly detection rule monitors AWS provisioning activities that originate from geographical locations that have not been previously recorded in the organization's provisioning history. The search utilizes AWS CloudTrail logs to identify events characterized by the verbs 'Run' or 'Create', which indicate provisioning actions. By employing the `iplocation` command on the source IP address, the rule determines the country of the request. The detection logic maintains a lookup table of previously seen provisioning activity sources, enabling it to filter out known legitimate provisioning events. The rule outputs details such as the user involved, source IP, country of origin, event name, and associated error codes. However, it has been deprecated in favor of a refined use of the Change Data Model in Splunk, meaning users should transition to the new model for better monitoring and efficiency. It's important to note that while this rule may generate alerts for new countries observed in the GeoIP database, this does not equate to true false positives, as it primarily captures any anomaly based on geographic data rather than specific malicious activity.