The M365 Copilot Application Usage Pattern Anomalies detection rule is designed to identify potentially compromised user accounts based on abnormal usage patterns of Microsoft 365 Copilot applications. The rule utilizes M365 Copilot Graph API logs to track user activities, measuring indicators such as access from multiple geographic locations, the volume of events generated per day, and the variety of applications utilized within a specified timeframe. Users are flagged for scrutiny if they access services from more than one city (cities_count > 1), generate over 100 events in a single day (events_per_day > 100), or utilize more than two Copilot applications (app_count > 2). These patterns are significant as they can denote unauthorized account access or automated behavior indicative of an external threat. The rule employs a structured search and statistical evaluation process within Splunk to identify anomalies and provide actionable insights, which are particularly important for mitigating risks of credential compromise and potential automated abuse in enterprise environments.