Configure the anomaly detector to find unusual logon

Hello everyone,
I have a document with IP address and the username. A user in a country can have an IP Address in a specific range for example from up to That means for example it logs on from France. I want to detect if the user changes its location by login. I am configuring the detector so that my feature detector is the IP Addrees with the aggregation Min .
"data_win_eventdata_ip_address": {
"min": {
"field": ""
Furthermore, i have add a category with the field IP Address.
But that does not seems to work. Can someone please help me, how i can configure it suitable?
Thank you!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.