This rule defines a machine learning job that identifies unusual source IP addresses used for user logins. Such anomalies can indicate potential unauthorized access, typically through compromised accounts or lateral movements within a network. The rule operates by analyzing patterns of user login activities and comparing them to established baselines. Notably, it raises alerts when a user logs in from an IP address that deviates significantly from their typical usage patterns, indicating risks associated with account compromises or intruder activity. The detection mechanism is built on a defined threshold for anomalies, which in this case is set at 75. The setup process requires specific integrations like Elastic Defend, Auditd Manager, or System to supply the necessary log data for machine learning analysis. This adaptive monitoring is especially crucial in environments where users may frequently change their geographic locations, ensuring early detection and remediation of unauthorized access attempts. The rule captures significant metadata, allowing for efficient response and investigation, and provides guidance to reduce false positives stemming from legitimate user behavior such as business travel.