This detection rule is designed to identify logins from approved non-office locations on Linux systems using Osquery. It monitors for any logins that occur from IP addresses that are not within the company's designated office IP range. The rule employs several tests that check the logged in users against a list of known office IPs, leading to alert generation if logins are detected from non-approved addresses. Specifically, the detection is based on user login attempts that originate from any non-office network, denoted by the absence of known corporate IP addresses. The analysis must include a review of the host IP address against an allowlist to determine the legitimacy of the access and potentially update it where necessary. Due to the complete reliance on the detection of unauthorized IP address usage, this rule falls under the MITRE ATT&CK technique TA0001:T1078, which pertains to valid account access for initial entry into systems.