This detection rule is designed to correlate successful sign-in events from Microsoft Azure or Office 365 with network security alerts that originate from suspicious IP addresses. Threat actors often attempt to exploit accounts by generating network alerts related to their actions before they gain access to cloud resources. The rule captures these activities by analyzing log data for sign-ins and external alerts, aiming to identify potentially compromised accounts based on their sign-in behavior and associated IP reputation. It includes steps for investigation and incident response, enabling security teams to thoroughly triage alerts, assess risk, and take appropriate action if malicious activity is detected.