This detection rule is designed to identify unauthorized login attempts in Auth0 from geographical locations inconsistent with a user's typical login behavior. By monitoring authentication logs, the rule leverages the `get_authentication_data_auth0` function to filter through successful login events and employs IP geolocation to ascertain the origin of login attempts. The results are aggregated to analyze users' typical locations and identify instances where a login is attempted from a new or unfamiliar country. The detection mechanism works by cross-referencing the current login attempts against historical data, thereby flagging any logins that occur from locations not previously associated with the user. This approach is particularly useful in detecting account takeovers, which may involve a threat actor leveraging valid credentials from different locations than historically documented.