Suspicious Login Detection and Threat Alert Workflow
Monitors suspicious login events via webhook, analyzes IP with GreyNoise, geolocation, and user agent data, then alerts via Slack and email if threats detected.
This n8n workflow automates security monitoring for suspicious login attempts. Triggered manually or by webhook, it extracts key data like IP, user agent, timestamp, URL, and user ID from the payload. It then branches into three parallel paths: querying GreyNoise Community API for IP reputation and assigning alert priority (High/Medium/Low) based on noise/riot classification before notifying via Slack; fetching geolocation via IP-API and merging with UserParser data for user agent insights; and
Platform
n8n
Category
Education
Price
$24.99
Creator
QualityWorkflows
security
threat-detection
login-monitoring
GreyNoise
IP-geolocation
Slack-alerts
Postgres
email-notifications
incident-response
webhook
How to import this workflow into n8n
1Purchase or download the workflow to get the n8n workflow JSON file.
2In your n8n instance, open Workflows and choose "Import from File" (or paste the JSON with Ctrl+V on the canvas).
3Open each node marked with a credential warning and connect your own accounts and API keys.
4Run the workflow once manually to verify the data flow, then toggle it to Active.