Good afternoon, We are working on enhancements from the geographic login outliers from hxxps://metron.apache.org/current-book/use-cases/geographic_login_outliers/index.html.
The original solution works very well, thank you to those who put in the work creating documentation, developing Stellar, and of course Metron. A common scenario that frustrates us is when someone uses a VPN service. The use of VPN services is common to certain geographic regions and this type of activity usually shows up as someone connecting from two diverse geographic locations using the same two IP addresses (one for home and the other using a VPN). I would like to enhance the original example with something that roughly does this: If the login points are geographic outliers, then: - Check if there is more than two distinct IP addresses that the person has used; and - If there are more than two distinct IP addresses, increase the score. The idea is to adjust the score based on the number of IP address access points so we prioritize our focus on someone using 20 different IP addresses rather than someone only using two. If someone has another approach, I would appreciate any guidance. For now, I'm digging into Stellar syntax to see if we can figure out a solution there. Thank you, Tom.
