Are you looking into Elastic Security or Alerting rules for this? Just wondering.
Maybe I would suggest try creating a transformation job for this. For example Impossible Travel rule :
Hi all,
Just looking for a bit of advice regarding creating a transform job for detecting Impossible Travel Activity.
We have had some success already however, it appears the Painless script is often using the wrong source.geo.location values to calculate the distance.
It is currently looking at all data coming from o365.audit and azure.signinlogs and within an ES|QL rule we are filtering for successful sign-ins.
If anyone has any ideas, or successful implementations of this already, I would…
If that does not meet your needs, you can still use a transformation rule to group by a unique field and aggregate by the location field.