The Azure High-Risk Sign-In detection rule is designed to monitor and alert on high-risk sign-in attempts that are flagged by Microsoft Entra ID Protection. These alerts focus on identifying potentially compromised accounts through abnormal authentication patterns recognized by Microsoft's machine learning algorithms. The rule specifically targets incidents resulting from common threats such as credential theft, impossible travel, or logins from unexpected geographic locations. During its execution, the rule evaluates a combination of different attributes, including user and service principal names, IP addresses, and various risk levels associated with the sign-in attempt. It emphasizes the importance of examining sign-in logs surrounding the alert to determine normal sign-in behavior and analyze any unusual activities associated with the account in question. Furthermore, it outlines a structured runbook for analyzing log events to establish whether an account has been at risk based on its recent activity and geographic access patterns.