Audit Log Event for Unseen IP Address User Authentications
Proposal
This feature request proposes we create a log entry for when a user authenticates to GitLab from an unseen IP address. We currently send end-users an email alert notifying them of the "new sign-in" (Send email notification for unknown sign ins (!29741 - merged)). The audit event would reflect that a user authentication (WebUI, Personal Access Token, OAuth token, git https/ssh events) was successful, but the ip was not in the known_ip_addresses for the user.
Example audit event
{
"severity": "INFO",
"time": "2026-01-29T05:20:00.687Z",
"correlation_id": "12345",
"meta.caller_id": "SessionsController#create",
"meta.feature_category": "system_access",
"meta.organization_id": 1,
"meta.remote_ip": "::1",
"meta.http_router_rule_action": "classify",
"meta.http_router_rule_type": "SESSION_PREFIX",
"meta.user": "john.smith",
"meta.gl_user_id": 9001,
"meta.client_id": "user/9001",
"id": 220,
"author_id": 9001,
"entity_id": 9001,
"entity_type": "User",
"details": "(omitted)",
"ip_address": "1.2.3.4",
"author_name": "John Smith",
"entity_path": "john.smith",
"target_details": "John Smith",
"created_at": "2026-01-29T05:20:00.656Z",
"target_type": "User",
"target_id": 9001,
"with": "standard",
"event_name": "user_signed_in_from_unseen_ip",
"author_class": "User",
"custom_message": "Signed in from a previously unseen IP address"
}
| Authentication Method | Status | MR/Links/Notes |
|---|---|---|
| WebUI Sign-ins | !231250 (merged) | |
| Personal Access Tokens | !233712 (merged) - requires feature flag for team members only first | |
| OAuth Tokens | ||
| Group/Project Tokens | (Covered under PATs: !233712 (merged)) | |
| git SSH/HTTPs |
Edited by Neil McDonald