<!-- This template is a great use for issues that are feature::additions or technical tasks for larger issues.--> ### Proposal This feature request proposes we create a log entry for when a user authenticates to GitLab from an _unseen IP address_. We currently send end-users an email alert notifying them of the "new sign-in" (https://gitlab.com/gitlab-org/gitlab/-/merge_requests/29741+). The audit event would reflect that a _user authentication_ (WebUI, Personal Access Token, OAuth token, git https/ssh events) was successful, but the ip was not in the [known_ip_addresses](https://gitlab.com/gitlab-org/gitlab/-/blob/master/app/controllers/concerns/known_sign_in.rb?ref_type=heads#L43-45) for the user. <details><summary>Example audit event</summary> ```json { "severity": "INFO", "time": "2026-01-29T05:20:00.687Z", "correlation_id": "12345", "meta.caller_id": "SessionsController#create", "meta.feature_category": "system_access", "meta.organization_id": 1, "meta.remote_ip": "::1", "meta.http_router_rule_action": "classify", "meta.http_router_rule_type": "SESSION_PREFIX", "meta.user": "john.smith", "meta.gl_user_id": 9001, "meta.client_id": "user/9001", "id": 220, "author_id": 9001, "entity_id": 9001, "entity_type": "User", "details": "(omitted)", "ip_address": "1.2.3.4", "author_name": "John Smith", "entity_path": "john.smith", "target_details": "John Smith", "created_at": "2026-01-29T05:20:00.656Z", "target_type": "User", "target_id": 9001, "with": "standard", "event_name": "user_signed_in_from_unseen_ip", "author_class": "User", "custom_message": "Signed in from a previously unseen IP address" } ``` </details> <!-- Label reminders Use the following resources to find the appropriate labels: - Use only one tier label choosing the lowest tier this is intended for - https://gitlab.com/gitlab-org/gitlab/-/labels - https://about.gitlab.com/handbook/product/categories/features/ --> | Authentication Method | Status | MR/Links/Notes | | ------ | ------ | ------ | | WebUI Sign-ins | :white_check_mark: | https://gitlab.com/gitlab-org/gitlab/-/merge_requests/231250 | | Personal Access Tokens | :hourglass_flowing_sand: | https://gitlab.com/gitlab-org/gitlab/-/merge_requests/233712 - requires feature flag for team members only first | | OAuth Tokens | :clock1: | | | Group/Project Tokens | :white_check_mark: | (Covered under PATs: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/233712) | | git SSH/HTTPs | :clock1: | |