Detect Suspicious Logins with n8n and GreyNoise Integration

Opening Problem Statement

Meet Jamie, a security analyst at a mid-sized SaaS company who spends countless hours every week manually investigating unusual login alerts. Each day, Jamie reviews dozens of login events, trying to discern whether they represent legitimate user sessions or potential security breaches. This process is tedious, error-prone, and often results in missed threats or false alarms. For Jamie’s company, this means wasted time, increased risk of compromised accounts, and a potential loss of customer trust and revenue.

Specifically, the challenge is to quickly identify suspicious logins that come from unknown IP addresses, new devices, or unusual geographic locations. Without an automated system to correlate threat intelligence, geolocation, and user behavior, the security team struggles to prioritize real threats over benign activity. This scenario perfectly fits the need for a sophisticated yet accessible automation using n8n.

What This Automation Does

This n8n workflow transforms the login monitoring process by automating the detection and prioritization of suspicious login events. When executed, it performs the following key functions:

• Real-time IP Threat Intelligence Check: Uses GreyNoise API to assess the reputation and classification of the IP address initiating the login.
• Geolocation Analysis: Queries IP-API to determine the physical location of the login attempt and compares it against user’s recent login locations.
• User Agent Parsing: Calls UserParser to identify the device, browser, and operating system used during login.
• Anomaly Detection: Compares current login device/browser and location with historical login data retrieved from a Postgres database.
• Prioritization and Alerting: Assigns a priority level (High, Medium, or Low) to the login event based on GreyNoise classification and other factors, then sends alerts via Slack to the security team.
• User Notification: If suspicious activity is detected, users receive an HTML email notification detailing the login event and advice on immediate action.

With this automation, companies can save hours typically spent on manual review, reduce false positives, and improve reaction time to potential security threats.

Prerequisites ⚙️

• n8n account with workflow execution capability.
• Access to GreyNoise API with API key for IP reputation data (requires header authentication).
• Access to IP-API for geolocation data (free tier limited to 45 requests/min, no auth required).
• UserParser API access for detailed user agent parsing (API key with query authentication).
• Postgres database containing user login history and user details.
• Gmail account connected via n8n SMTP or OAuth2 credentials for sending user notification emails.
• Slack workspace access and API token configured for alert notifications.

Step-by-Step Guide to Build the Suspicious Login Detection Workflow

Step 1: Setup Webhook to Receive Login Events

In n8n, add a Webhook node named New /login event. Configure it to listen for HTTP POST requests at a unique path (e.g., /705ca4c4-0a38-4ef8-9de9-abc8b3686dc6). This webhook will receive login event payloads containing details like IP address, user agent, user ID, and timestamp.

Expected outcome: When a login attempt occurs, the webhook triggers the workflow with event data.

Common mistake: Forgetting to set the webhook node to active or providing incorrect URL to the login event source.

Step 2: Extract Relevant Data from Incoming Login Payload

Add a Set node named Extract relevant data connected to the webhook. Use it to extract key properties:

• ip from $json.body.context.ip
• userAgent from $json.body.context.userAgent
• timestamp from $json.body.originalTimestamp
• url from $json.body.context.page.url
• userId from $json.body.userId

Set options to keepOnlySet true to narrow the data passed downstream, simplifying subsequent nodes.

Expected outcome: Output JSON contains only these extracted fields.

Step 3: Query GreyNoise API for IP Trust Level

Add an HTTP Request node named GreyNoise connected to the Set node. Configure it:

• Method: GET
• URL: https://api.greynoise.io/v3/community/{{ $json.ip }}
• Authentication: Generic Header Auth with your API Key named key.
• Response option: Never Error to handle non-responding IPs gracefully.

Expected outcome: IP classification info such as noise, riot, and classification values received.

Step 4: Check GreyNoise Noise Flag and Branch

Add an If node named noise? connected to GreyNoise’s output. Check if the JSON boolean value $json.noise is true. If true, routes to classification verification; if false, route to Riot check.

Step 5: Check if IP is Riot using Another If Node

Add an If node named riot? to check $json.riot equals true. Route outputs appropriately to prioritize threat handling.

Step 6: Classify Threat and Assign Priority

Add a Switch node named Check classification connected from noise check true output. Define rules for classification values:

• “malicious” routes to high priority
• “benign” routes to low priority
• “unknown” routes to medium priority

Add another Switch node Check trust level connected from Riot check output, defining priority levels 1 to 3 linked to High, Medium, Low Set nodes.

Step 7: Set Priority Levels

Add three Set nodes named 🔴 Priority: HIGH, 🟡 Priority: MEDIUM, and 🟢 Priority: LOW. Each sets a string field priority with the correct label.

Step 8: Postgres Query for Last 10 Logins

Add a Postgres node named Get last 10 logins from the same user connected from the node evaluating unknown threats (if true). Configure it to execute the SQL:

SELECT * FROM staging_n8n_cloud_frontend.user_signed_in WHERE user_id='{{ $json.userId }}' ORDER BY received_at DESC LIMIT 10;

This brings historical login data for anomaly detection.

Common mistake: Ensure your Postgres credentials are correctly set in n8n.

Step 9: Query IP Geolocation

Add an HTTP Request node Query IP API1 connected from the Postgres node. URL is:

http://ip-api.com/json/{{ $json.context_ip }}

This retrieves the current login location data.

Step 10: Compare New Location with Historical Logins

Add an If node New location? that compares current city $json.city with historical city data $json.city from merged login info. Routes true (new location) or false (known location).

Step 11: Detect New Device or Browser

Add an HTTP Request node named Parse User Agent that sends user agent string to UserParser API for detailed device/browser info.

Connect its output to an If node New Device/Browser?, which compares current device/browser to historical data. If any change in device type, browser name, or OS, route accordingly.

Step 12: Merge Data for Complete Login Info

Add a Merge node Complete login info to combine data from GreyNoise, IP API, and UserParser nodes, facilitating comprehensive analysis downstream.

Step 13: Query User Details for Notification

From branches triggered by new location or device/browser detection, use a Postgres node Query user by ID to fetch user’s email and profile data.

Step 14: Check if User Has Email and Prepare Notification

Add an If node User has email? to ensure an email address exists. If yes, use an HTML node to prepare a notification email template including login details and security advice.

Step 15: Send Email Notification

Connect the HTML node to a Gmail node named Inform user to send the alert email to the user with the subject “Important: Usual Login Attempt Detected”.

Step 16: Slack Alert Notification

For all priority levels, connect their outputs to a Slack node to post detailed alert messages to your security team’s Slack channel. Include direct links to GreyNoise IP reports for quick reference.

Customizations ✏️

• Adjust Priority Rules: Modify the Check classification and Check trust level switch nodes to treat certain classifications as higher or lower priority according to your organization’s risk tolerance.
• Extend Historical Data Lookup: Increase or decrease SQL query limits in the Get last 10 logins from the same user node for more comprehensive or focused user login history views.
• Modify Notification Content: Tailor the HTML email node to include more branding, additional user actions, or localized messages.
• Integrate SMS alerts: Add Twilio or similar SMS nodes after priority setting to notify security or user teams via text message.
• Add Multi-Factor Authentication Trigger: Extend the workflow to flag users and trigger MFA prompts upon detection of suspicious login events.

Troubleshooting 🔧

Problem: “HTTP Request to GreyNoise API fails or returns empty data.”
Cause: Invalid or missing API key or network issues.
Solution: Verify the GreyNoise API key in the HTTP Request node credentials. Test the API endpoint manually. Ensure network connectivity and no firewall blocking.

Problem: “No email sent to user despite suspicious login detection.”
Cause: Email address missing from user data or Gmail node misconfiguration.
Solution: Confirm user email presence in database. Check Gmail node credentials and test sending a manual email.

Problem: “Postgres query returns no results or errors.”
Cause: Incorrect SQL syntax or mismatched field names.
Solution: Double-check the database connection, table names, field names, and the dynamic userId parameter passing.

Pre-Production Checklist ✅

• Verify webhook URL is correctly set and reachable from your login event source.
• Test GreyNoise API connectivity with a known IP address.
• Ensure Postgres database has user login history and is accessible with provided credentials.
• Verify Slack API token and channel names are accurate.
• Perform manual test login events using the built-in n8n manual trigger and example event node.
• Check user email addresses exist for notification delivery.
• Backup your workflow before deployment.

Deployment Guide

Once fully tested, activate the webhook node to start receiving live login events. Monitor workflow executions via the n8n UI to ensure smooth operation. Use Slack alerts as immediate incident notifications and verify email alerts reach users promptly. Consider enabling workflow retries on failure and logging of events for audit purposes.

FAQs

Can I use a different geolocation service instead of IP-API?

Yes, the workflow’s HTTP Request nodes can be reconfigured to use other APIs like MaxMind or IPStack by changing the URLs and ensuring the JSON path mappings remain consistent.

Does using GreyNoise consume a lot of API credits?

GreyNoise has rate limits and API usage costs depending on your subscription. For community API usage, it’s free but limited. Monitor usage to avoid hitting quotas.

Is my data safe within this workflow?

All API credentials and database connections are managed securely within n8n. Data is processed locally or via trusted APIs. Always use secure authentication and encryption where possible.

Conclusion

By building this n8n Suspicious Login Detection workflow, you empower your security team to rapidly detect and prioritize unauthorized login attempts. Integrating GreyNoise threat intelligence with geolocation and user agent parsing enriches your security posture. The automation significantly reduces manual review efforts, saving hours weekly and preventing potentially costly breaches.

Next steps could include expanding to multi-factor authentication triggers, integrating with SIEM tools, or adding automated account lockout policies. This workflow sets a strong foundation for proactive account security in your digital environment.