Hi all, I'm working on Request source IP change alerting for APIM analytics - If the source IP is different from the usual IP range of a access token bearer, we should send an alert out. This possibly means that the access token is in the hands of someone else.
There will be couple of triggers that would generate the alerts for unusual request ip changes ( where the ip would lie outside the users 'usual' ip range) 1. Time difference between the last access time and the current access time This means if a certain ip has not been used for a x amount of time ( x is configurable) and gets a request from that ip, an alert would be generated. ( much like Gmail requesting you to login when you access it from a different continent) 2. The request count for the ip is low ( ex: couple of accesses for a whole month) and gets a request from that IP an alert would be generated ( again the count is configurable) This would be implemented maintaining an event table for each consumerID with IPs accessed along with the count for that specific consumerID,IP pair and the last accessed time for that pair and comparing the incoming requests against it. WDYT? Thanks, Sachith -- Sachith Withana Software Engineer; WSO2 Inc.; http://wso2.com E-mail: sachith AT wso2.com M: +94715518127 Linked-In: <http://goog_416592669>https://lk.linkedin.com/in/sachithwithana
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
