Protect account access with an automated flow that spots risky sign ins, ranks them, and alerts the right people. Security and IT teams get clear Slack alerts, while users receive an email if a new device or location appears. The result is faster response with less noise.

A webhook or a manual test starts the run. The flow extracts IP, user ID, user agent, and time, then checks the IP with GreyNoise to judge trust and classification. It adds location details from IP API and parses device and browser using UserParser. A Postgres query loads the last ten logins for the user. If the city or device is new, the flow flags it and sets a priority. A Slack message shows the priority, user, IP, time, and a link to GreyNoise. If the account has an email, a styled Gmail notice is sent.

You will need API keys for GreyNoise and UserParser, Slack and Gmail credentials, and access to your Postgres database. Expect faster triage and fewer false positives, often cutting review time by more than half. Common uses include SaaS product logins, employee portals, and customer account areas. Setup is straightforward and lets your team scale review without adding headcount.

• Webhook trigger for live login events plus a manual trigger for safe testing
• Data extraction of IP, user ID, user agent, and timestamp from incoming events
• GreyNoise lookup with trust and classification switches to set alert priority
• IP API geolocation to add country, region, and city context
• UserParser analysis to identify browser, operating system, and device type
• Postgres queries to fetch the last ten logins and the user profile
• Merge nodes build a complete record combining intel, location, and device details
• If checks detect new city or new device and route paths accordingly
• Slack alerts include priority, user, IP, time, and a link to GreyNoise
• Gmail sends an HTML email to the user only if an email address exists

• Reduce manual triage from 2 hours to 10 minutes per incident by auto ranking and routing alerts
• Cut false positives by up to 40% using GreyNoise trust and classification data
• Unify IP intel, geolocation, device data, and user history into one alert
• Notify users within seconds when a new device or city is detected
• Handle thousands of login events without adding analyst workload
• Improve analyst focus with clear High Medium Low priorities

1. Import the template into n8n: Create a new workflow in n8n > Click the three dots menu > Select 'Import from File' > Choose the downloaded JSON file.
2. You'll need accounts with Gmail, Slack, PostgreSQL, GreyNoise, IP-API and UserParser. See the Tools Required section above for links to create accounts with these services.
3. Open the New /login event webhook node and copy the production URL. In your auth service or app, send login events as HTTP POST requests to this URL.
4. In the n8n credentials manager, create a GreyNoise credential using Header Auth. Set the header name to key and paste your API key from the GreyNoise dashboard. Select it in the GreyNoise node.
5. Create a UserParser credential using Query Auth. Use the parameter name api_key and your API key from the UserParser account. Select it in the Parse User Agent and UserParser HTTP Request nodes.
6. Connect Slack: open the Slack node, choose Create new credential, complete the OAuth screen, and pick the target channel in the node settings.
7. Connect Gmail: open the Inform user node, choose Create new credential for Gmail OAuth2, approve scopes, and select the account to send emails from.
8. Connect PostgreSQL: in the credentials manager add your host, port, database, user, and password. Select this credential in both Postgres nodes. Ensure your n8n host can reach the database network.
9. Review the HTML node content and edit the message text, branding, and support links as needed.
10. Click the manual trigger and run the Example event to validate the full path. Confirm you receive a Slack alert and, if the test user has an email, a Gmail message.
11. Send a real login event from your app to the webhook. Check that new city or new device paths are flagged and that priorities appear in Slack.
12. Tune the Check trust level and Check classification switch nodes to match your risk policy. Adjust the Slack message fields and priority labels if needed.
13. Troubleshoot: HTTP 429 from IP-API means you hit the rate limit; space out requests. GreyNoise 401 indicates a bad API key. If emails fail, recheck Gmail OAuth scopes. If Slack messages do not post, confirm channel permissions. For database issues, verify the queries and network access.