Suspicious_login_detection

Suspicious_login_detection monitors login activities in real-time, swiftly identifying and responding to potentially unauthorized access. By extracting key data such as IP addresses and user details, it analyzes login attempts against historical patterns and geolocation insights. The workflow prioritizes alerts based on threat levels, ensuring immediate notifications via Slack and email to users about unusual logins. This proactive approach enhances security, allowing teams to address threats quickly and effectively, safeguarding user accounts and sensitive information.

7/4/2025
43 nodes
Complex
gchvocimoxoevnzpqpjkatvlsxxtre8uhf4m6dtffqon2hk2webhookcomplexpostgresqlnoopgmailslacksticky noteadvancedintegrationapilogicconditionaldatabasedatacommunicationnotificationrouting
Categories:
Data Processing & AnalysisCommunication & MessagingWebhook TriggeredComplex Workflow
Integrations:
PostgreSQLNoOpGmailSlackSticky Note

Target Audience

Target Audience


- Cybersecurity Teams: Teams responsible for monitoring and responding to suspicious activities will benefit from this workflow by automating the detection of unusual login attempts.
- Developers and Engineers: Those looking to integrate automated security measures into their applications can utilize this workflow as a template for their own systems.
- IT Administrators: Administrators managing user accounts can use this workflow to ensure that any unauthorized access attempts are quickly identified and addressed.
- Business Owners: Owners of online services can implement this workflow to enhance the security of their platforms and protect user data from breaches.

Problem Solved

Problem Solved


This workflow addresses the critical issue of suspicious login attempts. It automates the detection and response process, ensuring that any unusual login activities are promptly identified and escalated. By leveraging data from various sources, such as GreyNoise, IP-API, and UserParser, it provides a comprehensive analysis of login events, helping to mitigate the risks of unauthorized access and potential data breaches.

Workflow Steps

Workflow Steps


1. Trigger Event: The workflow starts when a new login event is detected via a webhook, capturing essential data such as IP address, user ID, and timestamp.
2. Data Extraction: Relevant data is extracted and stored for further analysis.
3. Threat Assessment: The workflow queries GreyNoise to assess the trust level of the IP address and classify it as malicious, benign, or unknown.
4. Geolocation Analysis: The IP-API is used to fetch geolocation data, helping to identify any new or unusual login locations.
5. User Agent Parsing: The UserParser API analyzes the user agent string to extract details about the browser, operating system, and device type.
6. Historical Comparison: The last 10 logins from the same user are retrieved to compare current login details against historical patterns.
7. Condition Checks: The workflow checks for anomalies in location and device/browser usage. If discrepancies are found, alerts are triggered.
8. Alert Notification: Depending on the severity of the threat, notifications are sent via Slack and an email is crafted to inform the user of the suspicious activity.
9. Final Actions: The workflow concludes by either escalating the alert or taking no action if the login is deemed safe.

Customization Guide

Customization Guide


- Webhook Configuration: Adjust the webhook settings to match your application's login event structure, ensuring it captures the necessary data.
- API Keys: Update the API keys for GreyNoise, IP-API, and UserParser in their respective nodes to ensure proper authentication.
- Database Queries: Modify SQL queries in the Postgres nodes to align with your database schema and ensure accurate retrieval of user login history.
- Notification Settings: Customize the Slack and Gmail nodes to specify the channels or email addresses for alert notifications based on your team's communication preferences.
- Logic Adjustments: Tailor the conditional checks and thresholds for alerting based on your organization's risk tolerance and security policies.