The Azure Suspicious Login Failures rule is designed to detect anomalous login attempts for Azure accounts, specifically focusing on users experiencing login failures from multiple distinct geographical locations. This detection leverages various Azure Sign-In logs, allowing the identification of patterns that may indicate credential theft or brute force attacks (T1110). The logic implemented employs the Splunk search language to filter for specific failure types identified by their respective result codes (50126, 50053, 50055, 50056). It evaluates the login attempts by looking at the states and countries associated with each login, grouping events over a 10-minute window to count distinct login states, regions, and source IPs. If a user has multiple distinct locations or IPs involved in their login attempts, it raises a flag for potential suspicious activity. This rule aids in early detection of account compromise attempts, enabling organizations to respond proactively to potential security incidents.