How do I avoid alerting on typos?

Filter on the attempt count so a single fat-fingered password stays quiet and only sustained failures escalate.

Where does the geo come from?

enrich.entity resolves the IP to geo, ASN, and a known-bad flag in flight, so the alert carries the context to act on.

Is it safe to post emails to a channel?

redact.pii masks the email for the chat destination while the full record still lands in your audit table.

Monitor failed logins in Slack

Catch the login failures that look like an attack — repeated misses from one address — with geo and network context attached before they reach you.

01source

sourcesdk.eventTypeScript SDK

matchlogin.failed

02pipeline · 3 steps

01CTLfilter.matchattempt ≥ 5 only
02ENRenrich.entityip → geo · asn · known-bad
03MUTredact.piimask email before posting

03destinations · 1

toslackSlack
channel#alerts

the event

You emit login.failed with this shape. The TypeScript SDK keeps the call type-safe, and the event is stored whole — so every field below is available to the pipeline by name.

emailstring
ipstring
reasonstringbad-password | locked | mfa
attemptnumberconsecutive misses

emit it

From your code with the TypeScript SDK — or any language over the REST endpoint and signed webhook ingress.

emit login.failed

import { ingest } from "@ingestlayer/sdk";

await ingest("login.failed", {
  email:   creds.email,
  ip:      req.ip,
  reason:  result.reason,
  attempt: result.consecutive,
});

route it to Slack

Post to any channel in your workspace. Connect once with OAuth, pick the channel per pipeline.

01
connect your workspace
Authorize the ingestlayer Slack app over OAuth from the destinations page. We hold only a channel-scoped bot token, in-region, in the same KMS as your other credentials.
02
pick a channel
Choose any public channel, or invite the bot to a private one. The channel is set per pipeline, so different events can land in different places.
03
map the message
Reference event fields with $event.* in the message template. The default renders a titled block with the event name and its key fields.

in slackdelivered

┌─ #alerts ──────────────────────────────┐
│  ingestlayer  APP                       │
│  user.signed_up                         │
│  email   ada@acme.com                   │
│  plan    pro                            │
│  source  marketing-site                 │
└─────────────────────────────────────────┘

notes

Slack rate-limits to roughly one message per second per channel; bursts are queued and retried, never dropped.
The bot must be a member of a private channel before it can post there — invite it explicitly.
Block Kit caps a message at 50 blocks and 3000 characters per text field; oversized events are truncated with a link to the full payload.

questions

How do I avoid alerting on typos?: Filter on the attempt count so a single fat-fingered password stays quiet and only sustained failures escalate.
Where does the geo come from?: enrich.entity resolves the IP to geo, ASN, and a known-bad flag in flight, so the alert carries the context to act on.
Is it safe to post emails to a channel?: redact.pii masks the email for the chat destination while the full record still lands in your audit table.

build this pipeline or read the quickstart →