Hi Serena,

That is a very interesting use case.  I can see how this is a good security measure.  I personally have not implemented something like this but have an idea on how it might be done or at least give you a start.

Do you have experience with API calls?  If so, my suggest will be to use an external service such as (https://ip-api.com/) no affiliation, just Googled it.  This will allow you to do a reserve lookup on an IP address.  So you can provide the IP address from entries within the syslog_transaction table.

Now this is where you will need to really think about how to implement this, since the syslog_transaction has all pages that is loaded by any user on the system, it get big really quickly, so definitely don't write a business rule on this table to get an answer for all IP address here.  Depending on your needs, maybe if you run a script at a certain interval and pick out unique IP address from syslog_transaction table and run the API call for those particular IP addresses.

To further make this process more streamline, you could also create a custom table to will hold IP address you have already looked up, so when filtering for you API call, you can filter only ones that you don't know.  This way, it does not keep looking up the same IP addresses of known origins.  

Lastly, when you get back the API call, you will be able to see where the IP address originated from and you can create a ticket how you see fit.

From what I can see, this is a doable project, but definitely not a straight forward one.  And one that will require a lot of testing.

I know this might not be a solution, but I hope this will lead you on the right path on finding one.