This detection rule is designed to identify login attempts from locations that have been marked as forbidden, which is essential for maintaining security posture against unauthorized access. It uses data from the auditd module and utilizes a KQL query to filter audit logs for events indicative of attempted logins from unusual places. Notably, it leverages the risk score to prioritize alerts, with a high severity rating indicating critical incidents that should be reviewed promptly. The rule can be found within indices that capture audit data and is compatible with Elastic’s stack, particularly targeting Linux environments. The rule has been tagged with relevant keywords that encapsulate its focus on initial access attempts, thereby tying it to broader categories of threat detection. Furthermore, it references the MITRE ATT&CK framework, associating the detection with the techniques of valid account usage for both initial access and persistence tactics, offering guidance on the potential abusive patterns within login activity.