{ "name": "Suspicious login detection", "nodes": [ { "id": "a95e464a-7451-4737-9db8-993a6568595b", "name": "Extract relevant data", "type": "n8n-nodes-base.set", "position": [ -260, 700 ] }, { "id": "d7dea680-14f3-4ffd-bfaf-f928b69d801d", "name": "New /login event", "type": "n8n-nodes-base.webhook", "position": [ -740, 700 ] }, { "id": "bd75aad9-2d24-4083-823d-bc789fb7ef07", "name": "Unknown threat?", "type": "n8n-nodes-base.if", "position": [ 720, 1240 ] }, { "id": "d0845980-3b8c-4659-95a1-82e925867f28", "name": "Get last 10 logins from the same user", "type": "n8n-nodes-base.postgres", "position": [ 960, 1220 ] }, { "id": "90e859b2-aa64-48e7-a8fe-696e3b7216f1", "name": "Query IP API1", "type": "n8n-nodes-base.httpRequest", "position": [ 1240, 1340 ] }, { "id": "3a944973-132a-4272-97e3-42528eb4c0fc", "name": "New location?", "type": "n8n-nodes-base.if", "position": [ 1440, 1340 ] }, { "id": "fb4d5d07-58ae-4b17-a389-29e7fbe2caa2", "name": "Parse User Agent", "type": "n8n-nodes-base.httpRequest", "position": [ 1260, 1640 ] }, { "id": "56442924-914c-461d-b4d7-f08192e1b53b", "name": "Merge", "type": "n8n-nodes-base.merge", "position": [ 295, 1502 ] }, { "id": "2b36f782-029d-41de-8823-6c083f3c305a", "name": "New Device/Browser?", "type": "n8n-nodes-base.if", "position": [ 1460, 1640 ] }, { "id": "612c3704-6ea1-4978-ae84-17326f459c25", "name": "Complete login info", "type": "n8n-nodes-base.merge", "position": [ 540, 1240 ] }, { "id": "9c097c31-a86d-45fe-92c7-14a58eae87b4", "name": "Query user by ID", "type": "n8n-nodes-base.postgres", "position": [ 2020, 1340 ] }, { "id": "cd6fb55b-b8f6-4778-a62a-34be42e2660d", "name": "New Location", "type": "n8n-nodes-base.noOp", "position": [ 1660, 1280 ] }, { "id": "7070a43a-d588-4bbb-b8d0-50e8eff171df", "name": "New Device/Browser", "type": "n8n-nodes-base.noOp", "position": [ 1674, 1625 ] }, { "id": "dca6d5ed-d92f-49a6-9910-c9194e696e70", "name": "User has email?", "type": "n8n-nodes-base.if", "position": [ 2360, 1360 ] }, { "id": "14cd3d37-5c00-4750-8ad2-f78fce66019c", "name": "HTML", "type": "n8n-nodes-base.html", "position": [ 2580, 1313 ] }, { "id": "e99f7779-9b84-4f8c-80a0-b34c3c9df5b4", "name": "Inform user", "type": "n8n-nodes-base.gmail", "position": [ 2740, 1313 ] }, { "id": "b280b287-7b20-4dcb-9c0a-a3e5c3a60771", "name": "noise?", "type": "n8n-nodes-base.if", "position": [ 340, 220 ] }, { "id": "5be949da-f04a-44f9-9cf0-5e221f9d27e8", "name": "Slack", "type": "n8n-nodes-base.slack", "position": [ 1560, 500 ] }, { "id": "241e492c-fb9a-4b93-bd76-4167cb67f212", "name": "Check trust level", "type": "n8n-nodes-base.switch", "position": [ 780, 360 ] }, { "id": "f99741d0-161e-49c6-8e41-d61b080e977d", "name": "Check classification", "type": "n8n-nodes-base.switch", "position": [ 780, 200 ] }, { "id": "594857f6-713f-496e-8257-b74acf5d1282", "name": "Sticky Note2", "type": "n8n-nodes-base.stickyNote", "position": [ 0.10300782209924364, -502.1236093865191 ], "parameters": { "width": 1443.8164871528645, "height": 1185.151137495839, "content": "![greynoise](https://i.imgur.com/4vSwTkY.png)\n## 🚦 Advanced Threat Prioritization with GreyNoise Data\n\nIn this section of the workflow, the integration of GreyNoise data, particularly in the `GreyNois" } }, { "id": "ee90c638-882d-4a2e-8164-adaf4ec386be", "name": "Sticky Note3", "type": "n8n-nodes-base.stickyNote", "position": [ 1450.4432083435722, -139 ], "parameters": { "width": 560.0194854548777, "height": 818.6128004838087, "content": "![Slack](https://i.imgur.com/iKyMV0N.png)\n## 📢 Slack Notification for Alert Dissemination\n\nThe `Slack` node plays a crucial role in alert communication. It ensures that once a threat is identified and" } }, { "id": "b617da5f-f7e0-4c6d-8080-c1d4b2e2ed53", "name": "Sticky Note4", "type": "n8n-nodes-base.stickyNote", "position": [ 477, 690 ], "parameters": { "width": 696.8700988949365, "height": 894.3487921624444, "content": "![postgre](https://i.imgur.com/OEqO3MQ.png)\n## 🔄 Synthesizing Data for Comprehensive Analysis\nThe `Complete login info` node serves as a crucial juncture, integrating data from multiple sources for a" } }, { "id": "1e106297-b7db-4b2d-b08c-a35880782c8c", "name": "Sticky Note5", "type": "n8n-nodes-base.stickyNote", "position": [ 1185, 691 ], "parameters": { "width": 663.6738255654103, "height": 892.4220900613532, "content": "![ipapi](https://i.imgur.com/OMhn14b.png)\n## 📍 Assessing Login Location Anomalies\n\nThe nodes following `Get last 10 logins from the same user` are dedicated to analyzing login location patterns to ide" } }, { "id": "3e091a54-2fdc-491c-a168-0fb4fb704fd8", "name": "Sticky Note9", "type": "n8n-nodes-base.stickyNote", "position": [ 2310.5877845770297, 691.4637444823477 ], "parameters": { "width": 629.1148167417672, "height": 841.097003209987, "content": "![gmail](https://i.imgur.com/f6f6my0.png)\n## 📧 Notifying Users About Unusual Login Attempts\n\nIn the final section of the \"Suspicious Login Detection\" workflow, the nodes `User has email?`, `HTML`, and" } }, { "id": "f9c6f726-ce2f-448b-a392-b86e0507ce13", "name": "Sticky Note10", "type": "n8n-nodes-base.stickyNote", "position": [ 1858, 691.3527917931716 ], "parameters": { "width": 442.82773054232473, "height": 839.4355618292594, "content": "![postgre](https://i.imgur.com/OEqO3MQ.png)\n## 🧩 Querying User Details for Enhanced Context\n\nThe `Query user by ID` node plays a key role in gathering additional user-specific information to provide e" } }, { "id": "6fd1a35c-5abc-4655-b5b5-836b49129d24", "name": "riot?", "type": "n8n-nodes-base.if", "position": [ 520, 380 ] }, { "id": "123fa821-4eb0-42b9-99c9-a0157f7ffac8", "name": "🔴 Priority: HIGH", "type": "n8n-nodes-base.set", "position": [ 1180, 220 ] }, { "id": "459d0152-8184-4031-8f70-6c100f2bc6c3", "name": "🟡 Priority: MEDIUM", "type": "n8n-nodes-base.set", "position": [ 1180, 360 ] }, { "id": "58427db9-8ef7-4916-8564-727bd587401d", "name": "🟢 Priority: LOW", "type": "n8n-nodes-base.set", "position": [ 1180, 500 ] }, { "id": "fd1e93a2-267e-4d5e-9724-6a4bb46b94b2", "name": "GreyNoise", "type": "n8n-nodes-base.httpRequest", "position": [ 280, 440 ] }, { "id": "032b9558-a19b-4790-8593-8949ab2606d4", "name": "IP API", "type": "n8n-nodes-base.httpRequest", "position": [ 40, 1280 ] }, { "id": "6cff0db9-27c3-4c4b-9af0-e8a8d55ad107", "name": "UserParser", "type": "n8n-nodes-base.httpRequest", "position": [ 80, 1522 ] }, { "id": "65c7a039-5257-495d-86c2-18a44627ebe1", "name": "When clicking \"Execute Workflow\"", "type": "n8n-nodes-base.manualTrigger", "position": [ -740, 880 ] }, { "id": "a038a10a-baaf-4649-9d38-4fa661dfc4ce", "name": "Example event", "type": "n8n-nodes-base.code", "position": [ -480, 880 ] }, { "id": "700a08d8-09ce-486c-bcfb-07d15f268d08", "name": "Sticky Note7", "type": "n8n-nodes-base.stickyNote", "position": [ -803, -83 ], "parameters": { "width": 794.5711626683587, "height": 1175.5321499586535, "content": "![webhook](https://i.imgur.com/D6SP9P0.png)\n## Workflow Overview\n\nExperience enhanced cybersecurity with the `Suspicious Login Detection` workflow in n8n, your go-to solution for real-time monitoring " } }, { "id": "ff6bbb3c-1c14-4e94-bfae-58e8cbb098c4", "name": "Sticky Note11", "type": "n8n-nodes-base.stickyNote", "position": [ 0.113308604309168, 690 ], "parameters": { "width": 469.4801859287644, "height": 736.6018800373852, "content": "![ipapi](https://i.imgur.com/OMhn14b.png)\n## 🌐 IP Geolocation with IP-API\nThe `IP API` node in the \"Suspicious Login Detection\" workflow adds crucial geolocation context to login events. It queries IP" } }, { "id": "57adbcf5-f927-4bdb-b863-bcff97be0ace", "name": "Sticky Note12", "type": "n8n-nodes-base.stickyNote", "position": [ 0, 1435 ], "parameters": { "width": 470.4372486447854, "height": 1044.866146557656, "content": "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n![userparser](https://i.imgur.com/IxvDyZB.png)\n## 🔄 Merging Geolocation and User Agent Data\n\nIn the \"Suspicious Login Detection\" workflow, the `Merge` node plays a pivotal role in syn" } }, { "id": "44830be0-428a-492e-97f7-66289fac6231", "name": "Sticky Note13", "type": "n8n-nodes-base.stickyNote", "position": [ 1184, 1590 ], "parameters": { "width": 659.8254746666762, "height": 845.1421530016269, "content": "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n![userparser](https://i.imgur.com/IxvDyZB.png)\n## 📱 Identifying Device and Browser Anomalies\nthe `Parse User Agent` and `New Device/Browser?` nodes focus on detecting anomalies in dev" } }, { "id": "e0bcc621-ff1f-47ca-a63a-f1af5c521c9a", "name": "Known, Do Nothing", "type": "n8n-nodes-base.noOp", "position": [ 960, 1440 ] }, { "id": "92c08a63-6961-40f6-993e-052a311f4bb6", "name": "Known Location", "type": "n8n-nodes-base.noOp", "position": [ 1660, 1420 ] }, { "id": "bb1621e0-8297-4e6c-bcdf-eae683a4b830", "name": "Old Device/Browser", "type": "n8n-nodes-base.noOp", "position": [ 1674, 1765 ] }, { "id": "9c987dd1-8d27-4067-9956-712eae4a228c", "name": "Not Riot", "type": "n8n-nodes-base.noOp", "position": [ 780, 520 ] } ], "connections": { "HTML": { "main": [ [ { "node": "Inform user", "type": "main", "index": 0 } ] ] }, "Merge": { "main": [ [ { "node": "Complete login info", "type": "main", "index": 1 } ] ] }, "riot?": { "main": [ [ { "node": "Check trust level", "type": "main", "index": 0 } ], [ { "node": "Not Riot", "type": "main", "index": 0 } ] ] }, "IP API": { "main": [ [ { "node": "Merge", "type": "main", "index": 0 } ] ] }, "noise?": { "main": [ [ { "node": "Check classification", "type": "main", "index": 0 } ], [ { "node": "riot?", "type": "main", "index": 0 } ] ] }, "GreyNoise": { "main": [ [ { "node": "Complete login info", "type": "main", "index": 0 }, { "node": "noise?", "type": "main", "index": 0 } ] ] }, "UserParser": { "main": [ [ { "node": "Merge", "type": "main", "index": 1 } ] ] }, "New Location": { "main": [ [ { "node": "Query user by ID", "type": "main", "index": 0 } ] ] }, "Example event": { "main": [ [ { "node": "Extract relevant data", "type": "main", "index": 0 } ] ] }, "New location?": { "main": [ [ { "node": "New Location", "type": "main", "index": 0 } ], [ { "node": "Known Location", "type": "main", "index": 0 } ] ] }, "Query IP API1": { "main": [ [ { "node": "New location?", "type": "main", "index": 0 } ] ] }, "Unknown threat?": { "main": [ [ { "node": "Get last 10 logins from the same user", "type": "main", "index": 0 } ], [ { "node": "Known, Do Nothing", "type": "main", "index": 0 } ] ] }, "User has email?": { "main": [ [ { "node": "HTML", "type": "main", "index": 0 } ] ] }, "New /login event": { "main": [ [ { "node": "Extract relevant data", "type": "main", "index": 0 } ] ] }, "Parse User Agent": { "main": [ [ { "node": "New Device/Browser?", "type": "main", "index": 0 } ] ] }, "Query user by ID": { "main": [ [ { "node": "User has email?", "type": "main", "index": 0 } ] ] }, "Check trust level": { "main": [ [], [ { "node": "🔴 Priority: HIGH", "type": "main", "index": 0 } ], [ { "node": "🟡 Priority: MEDIUM", "type": "main", "index": 0 } ], [ { "node": "🟢 Priority: LOW", "type": "main", "index": 0 } ] ] }, "New Device/Browser": { "main": [ [ { "node": "Query user by ID", "type": "main", "index": 0 } ] ] }, "🟢 Priority: LOW": { "main": [ [ { "node": "Slack", "type": "main", "index": 0 } ] ] }, "Complete login info": { "main": [ [ { "node": "Unknown threat?", "type": "main", "index": 0 } ] ] }, "New Device/Browser?": { "main": [ [ { "node": "New Device/Browser", "type": "main", "index": 0 } ], [ { "node": "Old Device/Browser", "type": "main", "index": 0 } ] ] }, "🔴 Priority: HIGH": { "main": [ [ { "node": "Slack", "type": "main", "index": 0 } ] ] }, "Check classification": { "main": [ [ { "node": "🔴 Priority: HIGH", "type": "main", "index": 0 } ], [ { "node": "🟡 Priority: MEDIUM", "type": "main", "index": 0 } ], [ { "node": "🟢 Priority: LOW", "type": "main", "index": 0 } ] ] }, "Extract relevant data": { "main": [ [ { "node": "GreyNoise", "type": "main", "index": 0 }, { "node": "UserParser", "type": "main", "index": 0 }, { "node": "IP API", "type": "main", "index": 0 } ] ] }, "🟡 Priority: MEDIUM": { "main": [ [ { "node": "Slack", "type": "main", "index": 0 } ] ] }, "When clicking \"Execute Workflow\"": { "main": [ [ { "node": "Example event", "type": "main", "index": 0 } ] ] }, "Get last 10 logins from the same user": { "main": [ [ { "node": "Query IP API1", "type": "main", "index": 0 }, { "node": "Parse User Agent", "type": "main", "index": 0 } ] ] } } }