To create the automated alerts when a user creates an instance outside our region of choice (us-west1), we'll need to perform two steps. Firstly, we'll have to create custom metric to identify the breach event. Next, we'll create an alerting policy in Stackdriver Monitoring to send us a notification when the conditions of the custom metric are met:

1. Navigate to the Stackdriver Logging in the GCP Console.
2. In the resource dropdown, select GCE VM Instance, which will show us all logs related to VMs:

3. From the drop-down, select activity to filter only the activity-related logs:

4. Now, we can see all the activity related to the VMs in our screen:

5. Expand a log related to an insert event and navigate to the prototypePayload section. Then, click on  methodName: "beta.compute.instances.insert", which shows you a pop-up menu. In the pop-up menu, select Show matching entries to create a new filter for VM create events:

6. By clicking on Show matching entries, the filter conditions are created in the top part of the window:

7. This filter gives us all the VM create events. However, we are interested in the VMs created outside the us-west region. We'll had a new condition protoPayload.response.zone to the existing filter:

resource.type="gce_instance"
logName="projects/<Project ID>/logs/cloudaudit.googleapis.com%2Factivity"
protoPayload.methodName="beta.compute.instances.insert"
NOT resource.labels.zone=("us-west1-c" OR "us-west1-a" OR "us-west1-b")

8. Replace the Project ID with your project ID and click on Submit Filter to test the syntax and result. To test the filter, create an instance in us-central1-a and re-run the filter to view the create activity of the VM in us-central1-a:

9. Now, click on the CREATE METRIC button, give a name to this metric, and create it:

10. Now, you'll see the user-defined metric created in the log-based metrics section. Select View in Metrics Explorer, this will take us to the Stackdriver Monitoring application:

11. If the current project is not associated with a Stackdriver account, the monitoring application will request a new account be created or the project be added to an existing account.

12. After the Stackdriver Monitoring account is set up for the project, navigate to the monitoring overview section. Under Set Altering Policies, click on CREATE POLICY:

13. This takes us to the Create new alerting policy page:

14. Click on Add Condition and select the condition type as Metric Threshold:

15. In the Add Metric Threshold Condition screen, select Log Metrics as the resource type. In the Configuration section, we'll be able to see our user-defined metric; select our VM_oustide_US-West metric and give a threshold of 1. Then, save the condition:

16. Under the Notifications section, give an email address to be notified when the metric condition is met:

17. Give a name to the policy and click on Save Policy:

18. Now, if any user creates a VM in any region other than us-west1, the admin will be notified.