We currently have our vpn logs going into graylog and have created some notifications and alerts around that data. Once of the ones we want to create is an alarm that will trigger if a users source IP changes substantially. For example, user foo logs in mostly as
Suddenly this changes to:
how would I go about create an alert that could be triggered by that scenario?