The 'O365 Rare User Agent Login' rule is designed to detect unusual login patterns to Office 365 accounts by analyzing user agent strings, which identify the client's device and browser used during login attempts. The logic is based on processing cloud data, specifically focusing on events indicating user logins within a specified timeframe. This detection mechanism identifies logins with rare user agents or multiple user agents from the same user in a defined time period. It utilizes an aggregation approach where it groups login events over a ten-minute window and calculates the count and distinct count of user agents employed. The rule flags any users utilizing more than one user agent or those with fewer than five occurrences of a single user agent. Additionally, it enriches the data by geolocating the source IP address to provide context for the logins, which may indicate suspicious activities or potential account compromise. This use case is particularly relevant for identifying credential theft, account enumeration, or multi-device usage in a cloud environment, enhancing vigilance around user account security in Office 365 deployments.