This detection rule monitors login attempts to applications through various identity providers (IdPs). It specifically flags unauthorized logins, which may indicate a potential SAMLjacking attack, where an attacker exploits SAML authentication to impersonate a user. The rule is triggered when a login attempt does not match allowed identity providers, allowing for proactive control over unauthorized access attempts. The rule currently has tests in place to validate actions for Google Workspace, Microsoft 365, and Okta logins, assessing if they comply with the expected outcomes. Notably, the rule is set as disabled and does not create alerts, implying that it is in a testing or review phase rather than active monitoring. This capacity for detailed logging also contributes to forensic investigations following incidents.