Suspicious login detection (Anomalous Login Detection)

Workflow Name

Suspicious_login_detection (Anomalous Login Detection)

Key Features and Highlights

This workflow enables real-time monitoring and anomaly detection of user login activities by integrating multi-dimensional data sources for comprehensive analysis, rapidly identifying and prioritizing potential security threats. Highlights include:

• Multi-Source Data Fusion: Integrates GreyNoise threat intelligence, IP-API geolocation services, and UserParser user-agent parsing to create detailed contextual login information.
• Anomalous Behavior Identification: Automatically detects new login locations and devices/browsers by comparing against historical login records to promptly identify suspicious logins.
• Intelligent Threat Prioritization: Automatically assigns high, medium, or low alert levels based on GreyNoise IP reputation and classification data, optimizing security response workflows.
• Multi-Channel Alert Notifications: Supports real-time security alert pushes via Slack channels and sends email notifications to users regarding anomalous logins, enhancing security awareness.
• Flexible Trigger Mechanisms: Supports triggering via Webhook for real login events and manual triggers for testing, facilitating deployment and debugging.

Core Problems Addressed

• Timely detection and response to anomalous user account logins to prevent unauthorized access.
• Reducing false positives and improving detection accuracy through rich threat intelligence and user behavior comparison.
• Automated priority management and notification mechanisms to ensure security teams efficiently handle the most critical incidents.
• Enhancing end-user security confidence by proactively informing them of potential risks and promoting collaborative security protection.

Application Scenarios

• User identity security management for enterprises or organizations.
• Login security monitoring for SaaS products or online services.
• Security Operations Centers (SOC) requiring automated security event detection and alerting.
• Security automation workflows involving advanced threat analysis through multi-source data integration.

Main Process Steps

1. Data Collection
   Receive login events via Webhook and extract key data (IP address, user agent, timestamp, user ID, accessed URL, etc.).
2. Threat Intelligence Query
   • Call GreyNoise API to obtain IP security reputation and classification.
   • Call IP-API to retrieve geolocation information.
   • Call UserParser to parse user-agent strings and identify device, browser, and operating system.
3. Data Aggregation and Analysis
   Merge the above data to form a comprehensive login profile.
4. Anomaly Detection
   • Query the user’s last 10 login records and compare current login geolocation and device information.
   • Determine if the login originates from a new location or new device/browser.
5. Threat Prioritization
   Assign risk priority (high, medium, low) to the login event based on GreyNoise classification, trust level, and anomaly detection results.
6. Alerting and Notification
   • Send detailed security alerts via Slack, including priority level, user info, IP details, and GreyNoise report links.
   • If the user has an email address, send HTML-formatted email notifications detailing the anomalous login and providing security recommendations.
7. Follow-up Actions
   Based on priority and context, the security team may take measures such as password resets or account suspension.

Involved Systems and Services

• GreyNoise: Provides IP threat intelligence to classify IPs as malicious, benign, or unknown.
• IP-API: Offers geolocation data for IP addresses.
• UserParser: Parses user-agent strings to identify login devices and browsers.
• Postgres Database: Stores user and login history data for comparison and analysis.
• Slack: Sends instant alert messages to the security team.
• Gmail: Sends anomalous login notification emails to users.
• Webhook: Receives real-time login events to trigger the workflow.
• Manual Trigger: Supports manual triggering for testing purposes.

Target Users and Value Proposition

• Security Operations Teams (SecOps): Achieve automated and efficient anomalous login detection and threat response with this workflow.
• Product Security Managers: Enhance product account security and reduce incidents caused by suspicious logins.
• IT Operations Personnel: Quickly identify risky IPs and anomalous behaviors by integrating multiple data sources, simplifying security analysis.
• General Enterprise Users: Protect account security by timely awareness of abnormal access and proactively mitigating potential risks.

This workflow provides a mature and extensible solution for building intelligent and secure login monitoring systems, helping organizations strengthen their security posture and safeguard digital assets.