This detection rule identifies instances when a user logs into a sanctioned Microsoft application from an IP address classified as risky by Microsoft Cloud App Security. The rule utilizes data from the Security Compliance Center to monitor events specifically labeled 'Log on from a risky IP address' with a successful status. By focusing on risky IP addresses, this rule helps security teams to mitigate the risk of credential theft and unauthorized access, especially from locations or networks that pose higher security concerns. The detection of such logon attempts is crucial in maintaining the integrity of corporate resources, ensuring that only trusted access is granted to sensitive applications. This rule leverages the capabilities of Microsoft 365 security measures to enhance threat detection and response in cloud environments.