User Login Suspicious
User Login Suspicious
This feature is only available in the Enterprise plan. Please visit our pricing page to learn more.
This event has been available since 1.30.0
This event is generated when a user logs in and FusionAuth has considered them to be a potential threat.
user.login.suspicious
Event Scope
Prior to version 1.37.0 this was a tenant scoped event. This event will be sent to all tenants that are listening, but will contain a tenantId to allow for filtering.
In version 1.37.0 and later this is also a tenant scoped event. It can be sent to all tenants or to one or more specified tenants. However, those tenants will not be sent events for other tenants, but only events related to themselves.
Transaction Compatibility
This event is transactional. The final state of the operation which caused the webhook is not persisted to FusionAuth until after the webhook finishes; learn more.
Event Body
- event.applicationId [UUID]
-
The unique Id of the Application for which the user has requested login. If the login request omits the applicationId or the user is not registered for the requested applicationId this value will not be returned in the event.
- event.authenticationType [String]
-
The type of authentication used in the login request.
- event.connectorId [UUID]
-
The unique Id of the connector used to complete the login.
- event.createInstant [Long]
-
The instant that the event was generated.
- event.id [UUID]
-
The unique Id of the event. You may receive an event more than once based upon your transaction settings. This Id may be used to identify a duplicate event.
- event.identityProviderId [UUID]
-
The unique Id of the identity provider used to complete the login. This value will be omitted from the event if an identity provider was not used.
- event.identityProviderName [String]
-
The name of the identity provider used to complete the login. This value will be omitted from the event if an identity provider was not used.
- event.info.data [Object]
-
An object that can hold any information about the event that should be persisted.
- event.info.deviceDescription [String]
-
The description of the device associated with the event.
- event.info.deviceName [String]
-
The device name associated with the event.
- event.info.deviceType [String]
-
The type of device associated with the event.
- event.info.ipAddress [String]
-
The source IP address of the event.
- event.info.location.city [String]
-
The city where the event originated.
Note: A paid plan is required to utilize event info location.
- event.info.location.country [String]
-
The country where the event originated.
Note: A paid plan is required to utilize event info location.
- event.info.location.latitude [Double]
-
The latitude where the event originated.
Note: A paid plan is required to utilize event info location.
- event.info.location.longitude [Double]
-
The longitude where the event originated.
Note: A paid plan is required to utilize event info location.
- event.info.location.region [String]
-
The geographic location where the event originated.
Note: A paid plan is required to utilize event info location.
- event.info.location.zipcode [String]
-
The zip code where the event originated.
Note: A paid plan is required to utilize event info location.
- event.info.os [String]
-
The operating system associated with the event.
- event.info.userAgent [String]
-
The user agent associated with the event.
- event.tenantId [UUID]
-
The unique tenant identifier. This value may not be returned if not applicable.
- event.threatsDetected [Array<String>]
-
The types of potential threats that have been flagged for this event.
The possible values are:
-
ImpossibleTravel
- The distance between recent logins exceeds the possible value a person can travel within the allotted time frame.
-
- event.type [String]
-
The event type, this value will always be
user.login.suspicious
. - event.user [Object]
-
The user that completed the login request. See the Users API for property definitions and example JSON
{
"event": {
"applicationId": "134f7157-0252-4100-889e-8b3084b85660",
"authenticationType": "PASSWORD",
"connectorId": "e3306678-a53a-4964-9040-1c96f36dda72",
"createInstant": 1630383272048,
"id": "0f2a3e31-d7c9-48dc-841a-b47ca4830773",
"info": {
"ipAddress": "42.42.42.42",
"location": {
"city": "Denver",
"country": "US",
"displayString": "Denver, CO, US",
"latitude": 39.77777,
"longitude": -104.9191,
"region": "CO"
},
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36"
},
"ipAddress": "127.0.0.1",
"tenantId": "30663132-6464-6665-3032-326466613934",
"threatsDetected": [
"ImpossibleTravel"
],
"type": "user.login.suspicious",
"user": {
"active": true,
"birthDate": "1981-06-04",
"connectorId": "e3306678-a53a-4964-9040-1c96f36dda72",
"data": {
"Company": "PiedPiper",
"PreviousCompany": "Aviato",
"user_type": "iconclast"
},
"email": "example@fusionauth.io",
"firstName": "Erlich",
"id": "00000000-0000-0000-0000-000000000001",
"insertInstant": 1630083026349,
"lastLoginInstant": 1630383233716,
"lastName": "Bachman",
"lastUpdateInstant": 1630083026349,
"memberships": [],
"passwordChangeRequired": false,
"passwordLastUpdateInstant": 1630083026431,
"preferredLanguages": [],
"registrations": [],
"tenantId": "30663132-6464-6665-3032-326466613934",
"twoFactor": {
"methods": [],
"recoveryCodes": []
},
"usernameStatus": "ACTIVE",
"verified": true
}
}
}
Feedback
How helpful was this page?
See a problem?
File an issue in our docs repo
Have a question or comment to share?
Visit the FusionAuth community forum.