Similar to the question posed about volume of activity, is there a way to trigger and alert or event, get it logged, and possibly have an email sent in the case of someone/something from an unusual or unlikely location accessed areas that have both a private and a public facing IP address? What I'm thinking in terms of if someone who wouldn't normally be interested in our sites/servers because of location or interest should suddenly decide to try to look at items on the sites/servers. I would include web spiders and many automated indexers in this category if they originated in a location that wouldn't normally be interested in us. I could see someone moving into the area wanting to check activities, ranking, enrollment, and things like that - since we are a school district. I could see educational associations checking on some things. I would not expect to see someone/something from outside North America to be interested for a reasonably legitimate reason.
Somewhat connected to the questions above, is there a way to build or define a list of addresses that it the address is on the list, it sends an email to notify network and system administrators letting them know of the interest? I'm trying to figure out an efficient way to be able to build the list and have it checked by probably NPM (maybe NTA) and use the results from the alerts to help us modify the list to either use it as a blacklist (if access is denied) or a whitelist (if the list is used to allow people to touch the network). I also am not certain which would be more efficient to do and would appreciate comment/suggestions/advice about it. My motivation is to protect any information on the machines that have both public and private addresses without denying the information to anyone who has a legitimate reason for wanting it.
I think once we can figure out a good way to trigger an alert/event, getting the information put into a report wouldn't be too hard.
Thanks, in advance, for any information.