Review an IP from a suspicious login alert

Look up the IP behind a login alert to add location and provider context before you decide whether the event is truly abnormal.

Security teams and support agents often need fast context on a login event. An IP lookup helps you compare the alert against the user’s recent activity and expected region.

Open the tool Expected result

How to use it

Step 1

Look up the alert IP

Use the exact source value recorded by your auth system.

Step 2

Compare against account history

Review whether the country, city, or provider is consistent with past behavior.

Step 3

Combine with other signals

Use device, MFA, and timestamp context before labeling the login suspicious.

Sample input

198.51.100.12

Expected result

You can triage the alert faster and avoid overreacting to routine travel, mobile carrier routing, or shared-network behavior.

Common mistakes

Treating location mismatch as conclusive proof of compromise.
Ignoring shared IP behavior on carrier networks.
Using the lookup without checking account history.

Related workflows

Check where suspicious traffic is coming from

Guide

Debug a geolocation mismatch with an IP lookup

Guide

Related tools

ToolsDashboard

review login alert ip

Review an IP from a suspicious login alert

Look up the IP behind a login alert to add location and provider context before you decide whether the event is truly abnormal.

Security teams and support agents often need fast context on a login event. An IP lookup helps you compare the alert against the user’s recent activity and expected region.

Open the tool Expected result