The detection rule identifies AWS CloudTrail events where Elastic Compute Cloud (EC2) instances are started in previously unseen regions. It performs a search for events within the last hour where instances are started, and it aggregates these results to check against a lookup of previously recognized regions. If an instance is launched in a region not found in this lookup, it marks that region as a potential area of interest for further investigation. This rule applies a lookup operation to append new regions to a prior list, enabling continuous monitoring of regional usage patterns. The criteria for identifying new activity requires the instances to be started within the last hour, with an additional check to filter out established regions from the output. The search is set to output any instances starting in regions that have not been previously seen, alerting users to potentially unauthorized or suspicious deployments.