The O365 Impossible Travels Sign-in detection rule aims to identify potentially fraudulent sign-in attempts to Office 365 accounts by analyzing user login attempts from disparate geographic locations within a short timeframe, indicating the possibility of account compromise. The rule leverages Splunk's capabilities to process cloud data, specifically focusing on user logins operational data. By retrieving the user's login data, it sorts these records and utilizes the `streamstats` function to track the last sign-in location and time for each user. The rule then geolocates the IP addresses associated with the login attempts to determine the geographical context of each sign-in. Distance calculations between successive sign-ins are computed using the Haversine formula to measure the distance in miles between the two locations. Subsequently, it assesses if this distance is traversable within the timeframe available, based on the predefined threshold speed of more than 1000 miles per hour, suggesting that it's impossible for the user to have legitimately logged in from both locations so quickly. Users exhibiting such behavior are then flagged for further analysis, with relevant information about their login timings, IP addresses, and origin locations collated for threat analysts to review.