I configured lat_long job in order to find anomalies in login geolocation.
In a day, I had a user login from a IP1 (transforms to location1 IOWA) 4-5 times in a span of 5 min interval. After that I had the same user logged in from IP2 (transforms to location2 Texas). As per my understanding the attempt from texas should be detected as anomalous by the lat_long job. But it does NOT detect that as anomalous.
Does the model need data over a period of time in order to learn the geolocation for a user? Is it not detecting anomalies as the learning data is not more than a day?
The official xpack documentation says, "lat_long function detects anomalies where the geographic location of a credit card transaction is unusual for a particular customer’s credit card". If you anyone can briefly tell me what is "unusual" with an example scenario, it would be great for me to put the job together.
FYI, the job gives me results, just that I am testing the job by simulating the above scenario which is not being caught by the job.