How do I avoid alerting on typos?

Filter on the attempt count so a single fat-fingered password stays quiet and only sustained failures escalate.

Where does the geo come from?

enrich.entity resolves the IP to geo, ASN, and a known-bad flag in flight, so the alert carries the context to act on.

Is it safe to post emails to a channel?

redact.pii masks the email for the chat destination while the full record still lands in your audit table.

Monitor failed logins in Webhook

Catch the login failures that look like an attack — repeated misses from one address — with geo and network context attached before they reach you.

01source

sourcesdk.eventTypeScript SDK

matchlogin.failed

02pipeline · 3 steps

01CTLfilter.matchattempt ≥ 5 only
02ENRenrich.entityip → geo · asn · known-bad
03MUTredact.piimask email before posting

03destinations · 1

towebhook.outWebhook
urlhttps://api.acme.com/hooks

the event

You emit login.failed with this shape. The TypeScript SDK keeps the call type-safe, and the event is stored whole — so every field below is available to the pipeline by name.

emailstring
ipstring
reasonstringbad-password | locked | mfa
attemptnumberconsecutive misses

emit it

From your code with the TypeScript SDK — or any language over the REST endpoint and signed webhook ingress.

emit login.failed

import { ingest } from "@ingestlayer/sdk";

await ingest("login.failed", {
  email:   creds.email,
  ip:      req.ip,
  reason:  result.reason,
  attempt: result.consecutive,
});

route it to Webhook

POST the processed event as JSON to any HTTPS endpoint you control.

01
set the URL
Any HTTPS endpoint. The processed event is delivered as a JSON body on POST.
02
choose auth
None, a bearer token, or HMAC signing. Signed requests carry an X-Ingestlayer-Signature header you verify with your shared secret.
03
confirm receipt
Return a 2xx within the timeout. Non-2xx responses trigger retries with exponential backoff before the delivery dead-letters.

in webhookdelivered

POST /hooks HTTP/1.1
Host: api.acme.com
Content-Type: application/json
X-Ingestlayer-Signature: t=1717000000,v1=9f86d08…

{
  "type": "user.signed_up",
  "payload": { "email": "ada@acme.com", "plan": "pro" }
}

notes

Endpoints must respond within 10 seconds; slower responses are treated as failures and retried.
Retries use exponential backoff for several attempts before dead-lettering — make your handler idempotent.
Verify the HMAC signature before trusting a payload; the raw body is signed, so compute the digest before JSON parsing.

questions

How do I avoid alerting on typos?: Filter on the attempt count so a single fat-fingered password stays quiet and only sustained failures escalate.
Where does the geo come from?: enrich.entity resolves the IP to geo, ASN, and a known-bad flag in flight, so the alert carries the context to act on.
Is it safe to post emails to a channel?: redact.pii masks the email for the chat destination while the full record still lands in your audit table.

build this pipeline or read the quickstart →