This detection rule utilizes a machine learning approach to identify unusual geolocation activity within Azure Activity Logs. The rule is designed to flag events where the action is executed from a country that is atypical for the user, potentially indicating compromised credentials or access permissions used by threat actors operating from different geographical locations than where the authorized user typically operates. The anomaly threshold is set at 50, meaning activities exceeding this threshold will trigger alerts. This rule accounts for false positives stemming from legitimate causes such as new service adoption, international travel by users, or organizational shifts towards remote work, thereby providing a balanced approach to detection while minimizing unnecessary alerts. The machine learning job associated with this rule automatically runs upon enabling the rule, requiring prior setup of Azure Activity Logs integration for optimal functionality.