This detection rule identifies when a user has authenticated via SAML (Security Assertion Markup Language) from a company domain that is not recognized as legitimate according to the organization's policies. The detection focuses on preventing unauthorized access by monitoring login events for any attempts coming from unknown or unexpected domains. Specifically, the rule is triggered when the login event indicates a successful SAML authentication where the user's email domain does not match the expected company domain. This could signify a risk of compromised credentials or misuse of SAML-based authentication mechanisms and is important in maintaining security compliance and protecting sensitive data. The rule has a high severity rating due to the potential implications of unauthorized access, alerting administrators to investigate these incidents promptly. The deduplication period is set to 60 minutes to prevent duplicate alerts for the same incident within that timeframe. It's necessary for organizations utilizing SAML authentication to have rules like these in place to enhance their security posture against phishing, account takeovers, and other attacks targeting authentication processes.