Monitor security logs for failed login attempts with Slack alerts
How It Works: The 5-Node Anomaly Detection Flow This workflow efficiently processes logs to detect anomalies. 1. Scheduled Check (Cron Node): This is the primary trigger. It schedules the workflow to run at a defined ...
Template notes
How It Works: The 5-Node Anomaly Detection Flow
This workflow efficiently processes logs to detect anomalies.
1. Scheduled Check (Cron Node): This is the primary trigger. It schedules the workflow to run at a defined interval (e.g., every 15 minutes), ensuring logs are routinely scanned for suspicious activity.
2. Fetch Logs (HTTP Request Node): This node is responsible for retrieving logs from an external source. It sends a request to your log API endpoint to get a batch of the most recent logs.
3. Count Failed Logins (Code Node): This is the core of the detection logic. The JavaScript code filters the logs for a specific event ("loginfailure"), counts the total, and identifies unique IPs involved. This information is then passed to the next node.
4. Failed Logins > Threshold? (If Node): This node serves as the final filter. It checks if the number of failed logins exceeds a threshold you set (e.g., more than 5 attempts). If it does, the workflow is routed to the notification node; if not, the workflow ends safely.
5. Send Anomaly Alert (Slack Node): This node sends an alert to your team if an anomaly is detected. The Slack message includes a summary of the anomaly, such as the number of failed attempts and the IPs involved, enabling a swift response.
---