Hello Team,
Recently I tried using Chronicle's `metrics.auth_attempts_success` function to analyze successful login activity by country for a specific user over the past 30 days. My goal was to dynamically filter the metric using the country from the incoming event like this:

    $ip_country = principal.ip_geo_artifact.location.country_or_region

    $historical_threshold_country_success = max(metrics.auth_attempts_success(
      period: 1d,
      window: 30d,
      metric: event_count_sum,
      agg: sum,
      target.user.userid: $targetAccountId,
      principal.ip_geo_artifact.location.country_or_region: $ip_country))

Surprisingly, this returned 0 for all users, even though I could confirm there were successful logins from countries like Germany and the UK.

After some debugging, I discovered that hardcoding the country like this worked:

    principal.ip_geo_artifact.location.country_or_region: "Germany"

So it seems the metric function is case-sensitive and expects exact string values for dimensions. Using `"germany"` (lowercase) failed, while `"Germany"` (title case) succeeded.

Just wanted to share and ask if others run into the same issue. 

Has anyone else encountered this or found a good pattern for normalizing these values safely?