The rule `Notion.LoginFromNewLocation` is designed to detect potential unauthorized access to Notion accounts when users log in from new and potentially suspicious locations. It leverages Notion's audit logs to identify login events and cross-references them with historical login locations stored in a dictionary. If a new login occurs from an IP address that has not been associated with the user in the past, an alert is triggered. This rule has a medium severity and aims to mitigate risks related to account takeovers, prompting administrators to follow up with affected users to verify the legitimacy of the login attempts. The rule utilizes a 60-minute deduplication period and is configured to consider a threshold of one login attempt from an unknown location as an indicator of a potential security issue. Tests included in the rule ensure that it accurately distinguishes between normal logins, new locations, and irrelevant events.