This machine learning rule, created by Elastic, detects unusual geolocation activities in GCP Audit logs that may indicate potential compromised accounts. It triggers when a machine learning job identifies events originating from a city that is atypical for the action performed, which could suggest that a malicious actor is using stolen credentials from a different geographical location than the authorized user. The detection rule carries a low severity and has a risk score of 21. It is designed to minimize false positives associated with legitimate user behaviors such as manual troubleshooting, geographic expansions by organizations, and remote work scenarios. The rule works by analyzing logs collected from GCP and requires setting up appropriate anomaly detection jobs. The rule was created for environments using GCP technologies, specifically aimed at improving cloud security postures against unauthorized access attempts.