Monitor failed logins in Email
Catch the login failures that look like an attack — repeated misses from one address — with geo and network context attached before they reach you.
01source
02pipeline · 3 steps
- 01CTLfilter.matchattempt ≥ 5 only
- 02ENRenrich.entityip → geo · asn · known-bad
- 03MUTredact.piimask email before posting
03destinations · 1
- toemail.outEmailtoalerts@acme.com
the event
You emit login.failed with this shape. The TypeScript SDK keeps the call type-safe, and the event is stored whole — so every field below is available to the pipeline by name.
- emailstring
- ipstring
- reasonstringbad-password | locked | mfa
- attemptnumberconsecutive misses
emit it
From your code with the TypeScript SDK — or any language over the REST endpoint and signed webhook ingress.
import { ingest } from "@ingestlayer/sdk";
await ingest("login.failed", {
email: creds.email,
ip: req.ip,
reason: result.reason,
attempt: result.consecutive,
});route it to Email
Send a transactional email to one or more recipients, addressable from event fields.
- 01
set the recipient
Enter a fixed address, or reference an event field like $event.payload.email to route per event.
- 02
write subject and body
Both accept $event.* templates. The body renders as plain text with an optional summary table of the payload.
- 03
confirm the sender
Mail goes out from mail@notify.ingestlayer.com with SPF and DKIM aligned. Set a reply-to if you want responses to reach you.
From: mail@notify.ingestlayer.com To: alerts@acme.com Subject: Payment failed — acme-inc (€240.00) A charge failed for acme-inc. amount €240.00 reason insufficient_funds attempt 2
notes
- Outbound email is metered against a monthly quota that scales with your plan; over-quota sends are deferred, not dropped.
- Sending from a fixed ingestlayer domain keeps deliverability high, but the From address is not your own domain.
- Recipient addresses pulled from event fields are validated at send time; a malformed address dead-letters that delivery.
questions
- How do I avoid alerting on typos?
- Filter on the attempt count so a single fat-fingered password stays quiet and only sustained failures escalate.
- Where does the geo come from?
- enrich.entity resolves the IP to geo, ASN, and a known-bad flag in flight, so the alert carries the context to act on.
- Is it safe to post emails to a channel?
- redact.pii masks the email for the chat destination while the full record still lands in your audit table.
failed logins, routed elsewhere
- Monitor failed logins in SlackSlack
- Monitor failed logins in DiscordDiscord
- Monitor failed logins in TelegramTelegram
- Monitor failed logins in WebhookWebhook
- Monitor failed logins in PostgresPostgres
- Monitor failed logins in NotionNotion
more, into Email
- Track user signups in Emailtrack
- Monitor failed payments in Emailmonitor
- Route support escalations in Emailalert
- Track waitlist signups in Emailtrack
- Track new subscriptions in Emailtrack
- Track canceled subscriptions in Emailtrack
- Track successful payments in Emailtrack
- Track trial conversions in Emailtrack
- Track form submissions in Emailtrack
- Track feature usage in Emailtrack
- Track file uploads in Emailtrack
- Monitor usage-limit hits in Emailmonitor
- Monitor error spikes in Emailmonitor
- Monitor cron-job health in Emailmonitor
- Monitor CI/CD build status in Emailmonitor
- Flag high-value leads in Emailalert
- Catch churn-risk signals in Emailalert
- everything you can pipe to Emailhub