This detection rule is designed to identify sign-ins from new geographical locations that have not been previously associated with a user account. By analyzing the user's historical sign-in locations, it flags any sign-ins that occur from new or infrequent countries. The goal is to uncover potentially unauthorized access attempts, which are often a result of compromised credentials or suspicious activities. The rule specifically monitors for specific risk event types categorized as 'newCountry' to provide alerts when sign-in attempts originate from unusual locations. It is critical to examine flagged sessions alongside the context of the user's overall sign-in activity to minimize false positives, as legitimate sign-ins from users traveling or relocating may occur.