This analytic rule detects unusual login activities for Cisco Duo admin accounts originating from countries outside of the United States. By examining Duo activity logs for admin login actions, it identifies potential unauthorized access attempts through geographic anomalies in login patterns. The detection leverages user, device, browser, and location data to highlight logins that could indicate credential compromise, account takeover, or targeted attacks. Early identification of such activities is crucial for responding to potential threats, as admin accounts hold significant privileges that, if misused, can lead to severe consequences, including unauthorized changes, data breaches, or lateral movement within the organization.