Crowdsec greylisting?

Crowdsec looks very promising, but I was wondering if anyone else has thought about doing it in reverse? When Crowdsec gets a login request, the IP can be in one of two states today, good (allowed to proceed) or known to be bad (bouncced). But there is a third state – unknown. The IP might be new, and thus not trusted, but not untrusted.

In this grey state, the scanners and parsers would ask the hub “This IP and its associated meta-data are not determined. Please request additional verification” For example, the hub might receive the following json

{ 
    ip: 199.200.201.15
    login: mrfoo
    pass: 19214!8@@xZ
    time: 12:41 PDT-8
    service: sshd
   host-urit: sshd://myserver.mydomain.com:2222
}

If this were a known bad IP, the bouncer would be activated. If it were whitelisted, it would be allowed, but configurations could also be invoked if “unknown” was returned such as:

{
    action-uri: ciscoduo://duoserver-21.cisco.com?user=mrfoo
}

or

{ 
     action-uri: msactivedirectory://myserver.mydomain.com?user=mrfoo
}

There do not run in the crowd sourced section --we only need to known that the authenticity of the source is uncertain. The local server must now reach out to the action-uri and see if it gets and OK from there.

So the flow is now:

We can a login a login attempt at server-a
Server-a asks Crowdsec about the attempt
If the attempt is a known attack, reject and bounce
If the source is a trusted IP (no known issues) allow
If the source is untrusted, an unknown reputation, indicate unknown
Back at the server, if unknown, use the configuration to query the verifying uri