workflows.fit
Back to n8n workflows
n8n templateFreeBy Marth - Business Automation

Monitor security logs for failed login attempts with Slack alerts

How It Works: The 5-Node Anomaly Detection Flow This workflow efficiently processes logs to detect anomalies. 1. Scheduled Check (Cron Node): This is the primary trigger. It schedules the workflow to run at a defined ...

DevelopmentCore NodesCommunicationHITLSchedule TriggerHttp RequestCodeIf
Loading interactive preview...

Template notes

How It Works: The 5-Node Anomaly Detection Flow

This workflow efficiently processes logs to detect anomalies.

1. Scheduled Check (Cron Node): This is the primary trigger. It schedules the workflow to run at a defined interval (e.g., every 15 minutes), ensuring logs are routinely scanned for suspicious activity.

2. Fetch Logs (HTTP Request Node): This node is responsible for retrieving logs from an external source. It sends a request to your log API endpoint to get a batch of the most recent logs.

3. Count Failed Logins (Code Node): This is the core of the detection logic. The JavaScript code filters the logs for a specific event ("loginfailure"), counts the total, and identifies unique IPs involved. This information is then passed to the next node.

4. Failed Logins > Threshold? (If Node): This node serves as the final filter. It checks if the number of failed logins exceeds a threshold you set (e.g., more than 5 attempts). If it does, the workflow is routed to the notification node; if not, the workflow ends safely.

5. Send Anomaly Alert (Slack Node): This node sends an alert to your team if an anomaly is detected. The Slack message includes a summary of the anomaly, such as the number of failed attempts and the IPs involved, enabling a swift response.

---