Which anomaly detection policy is suitable for triggering a security alert when a user signs in from a previously unused location?

The chosen answer focuses on the policy that identifies user sign-ins from locations that are not frequently associated with the user’s account. This makes it particularly effective for triggering security alerts in situations where an unauthorized user might be trying to gain access by logging in from a new geographical location.

The "Activity from infrequent country" policy analyzes the user's typical sign-in patterns and flags any attempts from a location that has not been used before or is statistically infrequent for that particular user. This can be a strong indicator of compromised accounts since malicious actors often try to access accounts from different geographical regions to avoid detection.

In contrast to the other options, "Impossible travel" detects logins from two locations that are geographically distant in a very short time frame, which is not applicable in this scenario since we are focusing on a completely new location. "Malware detection" focuses on identifying harmful software and doesn't relate to user sign-in locations. Lastly, "Activity from anonymous IP addresses" targets traffic coming from non-identified or suspicious IPs but does not specifically account for the historical login patterns of users in relation to geographical locations.

Together, this context establishes that the "Activity from infrequent country" policy directly aligns with the scenario of detecting logins from previously unused locations