This rule detects potentially compromised Azure service principals by identifying sign-in events from multiple geographic locations within a short time window. It targets non-interactive automation identities (service principals) authenticating to Azure, using Microsoft Entra ID Sign-In Logs (Azure SignInLogs) with the ServicePrincipalSignInLogs category and successful status (error_code == 0). The detection excludes well-known, legitimate service principals (based on owner tenant IDs) to reduce noise. For each service principal (grouped by service_principal_id and app_display_name), it aggregates the number of distinct source countries and countries/cities associated with those sign-ins. If a given SP shows sign-ins from two or more distinct countries (as of the last eight hours), the rule raises an alert. This pattern is consistent with credential compromise where stolen service principal secrets are used from disparate locations, and aligns with T1078 Cloud Accounts under the Initial Access tactic. The rule also annotates investigation fields such as app_id, app_display_name, source_ip, resource accessed, and Azure activity/log data to aid triage. The risk score is 73 with high severity, and the rule is configured to run on an 8-hour window, evaluating every hour. The intended workflow includes triage steps such as validating the SP, checking recent credential rotations, correlating with Azure AD/Audit Logs and Activity Logs, and examining resource access. The rule supports responses like credential rotation, session revocation, removal of unauthorized role assignments, and enforcement of location-based conditional access where possible. References point to Azure Entra ID sign-in monitoring, workload identities, and cloud security guidance.