User Login Suspicious
User Login Suspicious
This feature is only available in the Enterprise plan. Please visit our pricing page to learn more.
This event is generated when a user logs in and FusionAuth has considered them to be a potential threat.
Event typeuser.login.suspicious
Event Scope
This is a tenant scoped event.
Prior to version 1.37.0 this event was sent to all webhooks, and it was a webhook's responsibility to filter on the tenantId field.
In version 1.37.0 and later, this event will only be sent to tenants for which webhooks for this event are enabled.
Prior to version 1.37.0 this was a tenant scoped event. This event will be sent to all tenants that are listening, but will contain a tenantId to allow for filtering.
In version 1.37.0 and later this is also a tenant scoped event. It can be sent to all tenants or to one or more specified tenants. However, those tenants will not be sent events for other tenants, but only events related to themselves.
Transaction Compatibility
This event is transactional. The final state of the operation which caused the webhook is not persisted to FusionAuth until after the webhook finishes; learn more
Event Body
event.applicationIdUUIDThe unique Id of the Application for which the user has requested login. If the login request omits the applicationId or the user is not registered for the requested applicationId this value will not be returned in the event.
event.authenticationTypeStringThe type of authentication used in the login request. The possible values are:
-
APPLE- The user was authenticated using Apple. -
APPLICATION_TOKEN- The user was authenticated using an Application Authentication Token. -
EpicGames- The user was authenticated using Epic Games. -
FACEBOOK- The user was authenticated using Facebook. -
FEDERATED_JWT- The user was authenticated using a JWT from an external source. -
GENERIC_CONNECTOR- The user was authenticated using a generic connector. -
GOOGLE- The user was authenticated using Google. -
HYPR- The user was authenticated using HYPR. -
JWT_SSO- A valid JWT associated with one application was exchanged for another JWT associated with a different application. -
LDAP_CONNECTOR- The user was authenticated using an LDAP connector. -
LINKEDIN- The user was authenticated using LinkedIn. -
Nintendo- The user was authenticated using Nintendo. Available since 1.36.0 -
ONE_TIME_PASSWORD- The user was authenticated using a one-time password. -
OPENID_CONNECT- The user was authenticated using OIDC. -
PASSWORD- The user was authenticated using a loginId and password combination. -
PASSWORDLESS- The user was authenticated using a passwordless login link. -
PING- The user was authenticated using aPUTrequest on the Login API. This is used to record a login event without prompting for credentials, such as when the FusionAuth SSO session is used. -
REFRESH_TOKEN- The user requested a new JWT using a refresh token. -
REGISTRATION- The user was created using the Registration API. -
SAMLv2- The user was authenticated using SAMLv2. -
SAMLv2IdpInitiated- The user was authenticated using SAMLv2 IdP Initiated login. -
SonyPSN- The user was authenticated using Sony. -
Steam- The user was authenticated using Steam. -
TWITTER- The user was authenticated using Twitter. -
Twitch- The user was authenticated using Twitch. -
USER_CREATE- The user was created using the User API. -
WebAuthn- The user was authenticated using a passkey. Available since 1.41.0 -
Xbox- The user was authenticated using Xbox.
event.connectorIdUUIDThe unique Id of the connector used to complete the login.
event.createInstantLongThe instant that the event was generated.
event.idUUIDThe unique Id of the event. You may receive an event more than once based upon your transaction settings. This Id may be used to identify a duplicate event.
event.identityProviderIdUUIDThe unique Id of the identity provider used to complete the login. This value will be omitted from the event if an identity provider was not used.
event.identityProviderNameStringThe name of the identity provider used to complete the login. This value will be omitted from the event if an identity provider was not used.
event.info.dataObjectAvailable since 1.30.0An object that can hold any information about the event that should be persisted.
event.info.deviceDescriptionStringAvailable since 1.30.0The description of the device associated with the event.
event.info.deviceNameStringAvailable since 1.30.0The device name associated with the event.
event.info.deviceTypeStringAvailable since 1.30.0The type of device associated with the event.
event.info.ipAddressStringAvailable since 1.27.0The source IP address of the event.
event.info.location.cityStringAvailable since 1.30.0The city where the event originated.
Note: An Enterprise plan is required to utilize event location data.
event.info.location.countryStringAvailable since 1.30.0The country where the event originated.
Note: An Enterprise plan is required to utilize event location data.
event.info.location.latitudeDoubleAvailable since 1.30.0The latitude where the event originated.
Note: An Enterprise plan is required to utilize event location data.
event.info.location.longitudeDoubleAvailable since 1.30.0The longitude where the event originated.
Note: An Enterprise plan is required to utilize event location data.
event.info.location.regionStringAvailable since 1.30.0The geographic location where the event originated.
Note: An Enterprise plan is required to utilize event location data.
event.info.location.zipcodeStringAvailable since 1.30.0The zip code where the event originated.
Note: An Enterprise plan is required to utilize event location data.
event.info.osStringAvailable since 1.30.0The operating system associated with the event.
event.info.userAgentStringAvailable since 1.30.0The user agent associated with the event.
event.tenantIdUUIDThe unique tenant identifier. This value may not be returned if not applicable.
event.threatsDetectedArray<String>The types of potential threats that have been flagged for this event.
The possible values are:
ImpossibleTravel- The distance between recent logins exceeds the possible value a person can travel within the allotted time frame.
event.typeStringThe event type, this value will always be user.login.suspicious.
event.userObjectThe user that completed the login request. See the Users API for property definitions and example JSON
Example Event JSON
{
"event": {
"applicationId": "134f7157-0252-4100-889e-8b3084b85660",
"authenticationType": "PASSWORD",
"connectorId": "e3306678-a53a-4964-9040-1c96f36dda72",
"createInstant": 1630383272048,
"id": "0f2a3e31-d7c9-48dc-841a-b47ca4830773",
"info": {
"ipAddress": "42.42.42.42",
"location": {
"city": "Denver",
"country": "US",
"displayString": "Denver, CO, US",
"latitude": 39.77777,
"longitude": -104.9191,
"region": "CO"
},
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36"
},
"ipAddress": "127.0.0.1",
"tenantId": "30663132-6464-6665-3032-326466613934",
"threatsDetected": [
"ImpossibleTravel"
],
"type": "user.login.suspicious",
"user": {
"active": true,
"birthDate": "1981-06-04",
"connectorId": "e3306678-a53a-4964-9040-1c96f36dda72",
"data": {
"Company": "PiedPiper",
"PreviousCompany": "Aviato",
"user_type": "iconclast"
},
"email": "example@fusionauth.io",
"firstName": "Erlich",
"id": "00000000-0000-0000-0000-000000000001",
"insertInstant": 1630083026349,
"lastLoginInstant": 1630383233716,
"lastName": "Bachman",
"lastUpdateInstant": 1630083026349,
"memberships": [],
"passwordChangeRequired": false,
"passwordLastUpdateInstant": 1630083026431,
"preferredLanguages": [],
"registrations": [],
"tenantId": "30663132-6464-6665-3032-326466613934",
"twoFactor": {
"methods": [],
"recoveryCodes": []
},
"usernameStatus": "ACTIVE",
"verified": true
}
}
}