How do I avoid alerting on typos?

Filter on the attempt count so a single fat-fingered password stays quiet and only sustained failures escalate.

Where does the geo come from?

enrich.entity resolves the IP to geo, ASN, and a known-bad flag in flight, so the alert carries the context to act on.

Is it safe to post emails to a channel?

redact.pii masks the email for the chat destination while the full record still lands in your audit table.

Monitor failed logins in Notion

Catch the login failures that look like an attack — repeated misses from one address — with geo and network context attached before they reach you.

01source

sourcesdk.eventTypeScript SDK

matchlogin.failed

02pipeline · 3 steps

01CTLfilter.matchattempt ≥ 5 only
02ENRenrich.entityip → geo · asn · known-bad
03MUTredact.piimask email before posting

03destinations · 1

tonotion.dbNotion
databaseSignups

the event

You emit login.failed with this shape. The TypeScript SDK keeps the call type-safe, and the event is stored whole — so every field below is available to the pipeline by name.

emailstring
ipstring
reasonstringbad-password | locked | mfa
attemptnumberconsecutive misses

emit it

From your code with the TypeScript SDK — or any language over the REST endpoint and signed webhook ingress.

emit login.failed

import { ingest } from "@ingestlayer/sdk";

await ingest("login.failed", {
  email:   creds.email,
  ip:      req.ip,
  reason:  result.reason,
  attempt: result.consecutive,
});

route it to Notion

Append events as rows to a Notion database, or content to a page. Connect once with OAuth, pick the target per pipeline.

01
connect your workspace
Authorize the ingestlayer Notion integration over OAuth from the destinations page, then choose which databases and pages it may touch. We hold only that workspace's access token, in-region, in the same KMS as your other credentials.
02
pick a target
Per pipeline, choose a database to append a typed row to, or a page to append content to. The picker lists exactly what you shared with the integration during authorization — nothing else.
03
map the columns
For a database, match event fields to Notion properties — automatically by column name, or per-column with $event.* templates. The title column falls back to the event name, so a row is never blank. For a page, the rendered body is appended as blocks.

in notiondelivered

┌─ Signups · database ───────────────────┐
│  Name        ada@acme.com               │
│  Plan        ● pro                       │
│  Source      marketing-site             │
│  Signed up   2026-06-03                  │
└─────────────────────────────────────────┘

notes

Notion grants access page by page: the integration only sees databases and pages you explicitly share during authorization. Add the target there, or the delivery dead-letters as object_not_found.
Each column is coerced to its Notion type — number, date, select, checkbox, URL, and so on. Properties an integration can't write (people, relations, files, formulas, rollups) are skipped rather than guessed.
Title and rich-text values cap at 2000 characters per block and are chunked beyond that; a single page append tops out at 100 blocks.
Tokens don't expire, but revoking the integration inside Notion flips the destination to an error state — reconnect from the destinations page to resume delivery.

questions

How do I avoid alerting on typos?: Filter on the attempt count so a single fat-fingered password stays quiet and only sustained failures escalate.
Where does the geo come from?: enrich.entity resolves the IP to geo, ASN, and a known-bad flag in flight, so the alert carries the context to act on.
Is it safe to post emails to a channel?: redact.pii masks the email for the chat destination while the full record still lands in your audit table.

build this pipeline or read the quickstart →