This detection rule targets the scenario where multiple sign-ins occur from the same IP address within Office 365 environments, which may indicate suspicious activity or potential credential abuse. The rule leverages log data from Office 365 audit logs to capture relevant login events, including both successful and failed authentication attempts, by utilizing Splunk's querying capabilities. The approach involves evaluating logon events to determine whether they were successful or failed, grouping those events by source IP over a ten-minute window, and counting distinct users associated with each IP address. A notable threshold is applied, flagging instances where more than one unique user is detected from the same IP address, as this may suggest unauthorized access attempts or compromised accounts. The integration of geographical information through `iplocation` enhances visibility into the origins of login attempts, potentially aiding in subsequent investigations. This rule is relevant for detecting behaviors aligned with legitimate account usage but can also indicate malicious activities aiming to gain unauthorized access or escalate permissions.