Trying to understand "Anomalous sign-in location by user account and authenticating application"

mircasa - Thanks for the feedback.  I am looking at the detection and we will likely have some updates in the next week available on the Azure Sentinel GitHub.  The involved App should already be coming thru in the AppDisplayName, but agreed we should bring thru the Location information, the ResultType for the sign in (meaning success or fail error code), along with IPAddresses related to the UserPrincipalName that is making the Signin attempt.  The goal of this detection is to indicate a UserPrincipalName for a given AppDisplayName is anomalous based on the location the IP is associated with, all relative to the last day, 7 days and 14 days.  If an alert fires for this, then using the workbook that Ofer points out would be a next step to understand context for the user and Signins.  We can also look at improving the description to help with this.  I will post back once the new version is available.