Hello ​@havox.  In this scenario have you tried using the “over” syntax within a match block to achieve this?  Here is a brief example which is not intended to be all encompassing but might help you get started. 

In this rule excerpt I’m showing that we are classifying two events: One that represents the current login for the user, and one that represents the historical login.   I'm also retrieving the IP address as part of this which you may need to modify to get the IP from the correct field.

I then use a match block with an "over” condition to check back 14 days.

Let me know if you have any thoughts around this.

events:

$current_login.metadata.event_type = "USER_LOGIN"

$current_login.metadata.product_event_type = "Sign-in activity"

current_login.security_result.action = "ALLOW"

$current_login.principal.user.userid = $user_id

$current_login.target.application.name = $resource_app_name

$current_login.source.ip = $ip_address

$historical_login.metadata.event_type = "USER_LOGIN"

$historical_login.metadata.product_event_type = "Sign-in activity" $historical_login.security_result.action = "ALLOW"

$historical_login.principal.user.userid = $user_id

$historical_login.target.application.name = $resource_app_name

$historical_login.source.ip = $ip_address

match:

$ip_address, $user_id, $resource_app_name over 14d