This analytic rule is designed to detect suspicious activity related to Azure Active Directory (AD) user accounts that have concurrent sessions established from multiple unique IP addresses within a brief 5-minute timeframe. The detection relies on the examination of successful authentication events recorded in the Azure Active Directory NonInteractiveUserSignInLogs. By analyzing these events, the rule counts distinct source IP addresses from which sign-ins are made to identify potential malicious activities, such as session hijacking. Attackers may exploit stolen session cookies to create unauthorized access to corporate resources from different geographic locations. Notably, if the malicious nature of this behavior is confirmed, it could lead to significant unauthorized access and potential data breaches. The rule uses a search query to extract relevant Azure AD logs, renaming fields for easier analysis, bucketing events into 5-minute intervals, and using statistical counting to ascertain the number of unique source IPs associated with each user.