Anomalous Azure Active Directory apps based on authentication location
This query over Azure AD sign-in activity highlights Azure AD apps with an unusually high ratio of distinct geolocations versus total number of authentications.
Source: Github - Microsoft
MITRE ATT&CK Tactics
Azure Signin Logs
Review the LocationString, Identity and AppDisplayName fields and validate if these are within the normal parameters in your organization. Look for users accessing different applications within a short timeframe from various locations.
If any abnormal behavior is identified, immediately disable the affected user accounts in Azure AD.