The 'M365 Copilot Session Origin Anomalies' rule is designed to identify instances where users of M365 Copilot access the application from multiple geographical locations within a short timeframe, which could indicate potential account compromise or credential sharing. By aggregating M365 Copilot Graph API events for each user, the rule calculates metrics such as the number of unique cities and countries accessed, the days the user has been active, and the diversity of the IP addresses utilized. If the analysis reveals that a user is accessing Copilot from more than one city (defined as cities_count > 1), the rule flags these sessions. The results are sorted based on the diversity of countries and cities, allowing security teams to prioritize accounts with suspicious multi-location access patterns. This approach helps detect impossible travel scenarios and can serve as an early indicator of compromised credentials being exploited from different regions. The detection mechanism functions efficiently by leveraging the Splunk platform to ingest and analyze relevant M365 Copilot access logs.