This workflow monitors login events and detects unusual activity such as logins from unknown IPs, new locations, or unfamiliar devices. It enriches login data with threat intelligence, prioritizes risks, and notifies both users and security teams about suspicious attempts.
Features:
- 📡 Event Triggers: Capture login attempts via webhook or manual trigger for testing.
- 🗂 Data Extraction: Collect key details like IP address, user agent, timestamp, and user ID.
- 🌐 Threat Intelligence Integration:
- GreyNoise API for IP reputation & classification.
- IP-API for geolocation details.
- UserParser for browser/device analysis.
- 🧩 Anomaly Detection:
- Flags logins from new locations, devices, or browsers.
- Compares against last 10 login records in Postgres DB.
- 🚦 Risk Prioritization: Assigns High, Medium, or Low priority to each attempt based on trust level, classification, and context.
- 📢 Team Alerts: Sends detailed Slack notifications with user info, IP, timestamp, and GreyNoise reports.
- 📧 User Notifications: Generates and sends email alerts via Gmail if unusual login activity is detected.
- 🔄 Flexible Workflow: Can run in real-time for production or manually for testing and tuning.
