Security Events
Security Events
Overview
The Security Events module provides real-time monitoring and logging of security-related activities in your admin panel. It tracks failed login attempts, account lockouts, permission changes, suspicious activities, and other security-relevant events. This module helps you identify potential security threats, investigate incidents, and maintain awareness of your system's security posture.
Unlike audit logs which track all administrative actions, security events focus specifically on activities that may indicate security concerns or require immediate attention.
Accessing Security Events
Navigation path: Dashboard > Security > Events
Required permission: security.events.view
Key Features
- Real-time Event Monitoring: Track security events as they occur
- Severity Classification: Events categorized by severity (Critical, High, Medium, Low)
- Dashboard Statistics: Quick overview of recent security activity
- Event Filtering: Filter by type, severity, date, and user
- Detailed Event Information: View complete details including metadata
- Alert Notifications: Automatic alerts for critical events (if configured)
- Event Management: Delete old or resolved events
Main Interface
Dashboard Statistics
Four cards at the top provide quick insights:
- Critical Events (24h): Number of critical severity events in the last 24 hours
- High Events (24h): Number of high severity events in the last 24 hours
- Failed Logins (Today): Total failed login attempts today
- Locked Accounts: Number of currently locked accounts
These statistics help you quickly assess if there are any immediate security concerns.
Filter Section
Filter events by:
- Event Type: Failed login, account locked, permission change, suspicious activity
- Severity: Critical, high, medium, low
- From Date: Show events from this date forward
Events Table
The main table displays security events with the following columns:
- Time: When the event occurred (YYYY-MM-DD HH:MM:SS format)
- Event Type: Category of the security event
- Severity: Color-coded severity badge
- User: User associated with the event (if applicable)
- IP Address: Source IP address
- Description: Brief description of the event
- Actions: View details button
Severity Badges
Events are color-coded by severity:
- Red (Critical): Immediate attention required
- Orange (High): Important security concern
- Yellow (Medium): Notable event requiring review
- Blue (Low): Informational security event
Event Types
Failed Login
Description: Someone attempted to log in with incorrect credentials
Severity: Low to Medium (escalates with repeated attempts)
Common Causes:
- User forgot password
- Typo in password
- Brute force attack attempt
- Credential stuffing attack
What to Check:
- Number of attempts from same IP
- Multiple usernames from same IP
- Pattern of attempts (automated vs. manual)
- Geographic location of IP
Account Locked
Description: An account was automatically locked due to failed login attempts
Severity: Medium to High
Common Causes:
- Exceeded maximum failed login attempts
- User forgot password and kept trying
- Automated attack triggered lockout
What to Do:
- Verify the user is legitimate
- Check for attack patterns
- Unlock account if legitimate user
- Investigate if suspicious
Permission Change
Description: User permissions or roles were modified
Severity: Medium to High
Common Causes:
- Administrator updated user permissions
- Role assignments changed
- Privilege escalation attempt (if unauthorized)
What to Check:
- Who made the change
- What permissions were added/removed
- Whether the change was authorized
- If the user requested the change
Suspicious Activity
Description: Unusual behavior detected that may indicate a security threat
Severity: High to Critical
Examples:
- Multiple failed 2FA attempts
- Access from unusual location
- Rapid succession of actions
- Attempts to access restricted resources
- SQL injection attempts
- XSS attempts
What to Do:
- Investigate immediately
- Review related audit logs
- Consider disabling affected accounts
- Check for data breaches
- Update security measures
Common Tasks
Task 1: Viewing Recent Security Events
- Navigate to Dashboard > Security > Events
- Review the dashboard statistics for any concerning numbers
- Scroll through the events table
- Look for patterns or unusual activity
- Click View on any event for more details
Result: You can see recent security activity at a glance.
Task 2: Investigating Failed Login Attempts
- Navigate to Dashboard > Security > Events
- In the filter section, select Event Type: "Failed Login"
- Click Filter
- Review the list of failed attempts
- Look for:
- Multiple attempts from the same IP
- Attempts on multiple accounts from one IP
- Geographic patterns
- Click View on suspicious entries for details
Result: You can identify potential brute force attacks or users having trouble logging in.
Task 3: Filtering Critical Events
- Navigate to Dashboard > Security > Events
- In the filter section, select Severity: "Critical"
- Click Filter
- Review all critical events
- Investigate each one thoroughly
- Take appropriate action based on findings
Result: You can focus on the most serious security concerns.
Task 4: Viewing Event Details
- Navigate to Dashboard > Security > Events
- Find the event you want to examine
- Click View in the Actions column
- Review the detailed information:
- Event type and severity
- Exact timestamp
- User information (name, email)
- IP address
- User agent (browser/device)
- Full description
- Metadata (additional technical details)
- Notification status
Result: You have complete information about the security event.
Task 5: Investigating a Specific User's Security Events
- Navigate to Dashboard > Security > Events
- Scroll through the table or use filters
- Look for events associated with the specific user
- Review their security-related activities
- Check for patterns or concerns
Result: You can see all security events related to a particular user.
Note: Currently there's no user filter, but you can search visually or check audit logs for more detailed user activity.
Task 6: Monitoring Events from a Specific IP
- Navigate to Dashboard > Security > Events
- Scan the IP Address column for the target IP
- Review all events from that IP
- Look for suspicious patterns
- Consider adding IP to whitelist or blacklist
Result: You can track activity from a specific IP address.
Task 7: Reviewing Events from a Date Range
- Navigate to Dashboard > Security > Events
- In the filter section, set From Date to your start date
- Click Filter
- Review events from that date forward
- Look for trends or incidents
Result: You can analyze security events over a specific time period.
Task 8: Deleting Old Security Events
- Navigate to Dashboard > Security > Events
- Find an event you want to delete
- Click View to open the event details
- Scroll to the bottom
- Click Delete Event
- Confirm the deletion
Result: The security event is permanently removed.
Note: Only delete events that have been fully investigated and resolved. Keep events for compliance and historical analysis.
Event Details Page
When you view an event, you'll see:
Event Information Section
- Event Type: Category of the event
- Severity: Severity level with color-coded badge
- Date & Time: Exact timestamp
- IP Address: Source IP
User Information Section
- User: Name and email (if applicable)
- User Agent: Browser and device information
- Notified: Whether alerts were sent and when
Description
Full description of what happened
Metadata
Technical details in JSON format, may include:
- Request details
- Error messages
- Stack traces
- Additional context
Severity Levels
Critical
Definition: Immediate security threat requiring urgent action
Examples:
- Multiple failed 2FA attempts
- Successful privilege escalation
- Data breach detected
- SQL injection attempt
- Unauthorized access to sensitive data
Response: Investigate immediately, take defensive action
High
Definition: Significant security concern requiring prompt attention
Examples:
- Account locked due to failed attempts
- Unauthorized permission changes
- Access from suspicious location
- Multiple failed login attempts
- Unusual activity patterns
Response: Investigate within hours, monitor closely
Medium
Definition: Notable security event requiring review
Examples:
- Permission changes (authorized)
- Failed login attempts (few)
- Password changes
- 2FA setup/removal
- Access from new location
Response: Review during regular security checks
Low
Definition: Informational security event
Examples:
- Single failed login
- Successful 2FA verification
- Normal permission checks
- Routine security validations
Response: Monitor for patterns, no immediate action needed
Permissions
The following permissions control access to security events:
security.events.view: Can view security eventssecurity.events.delete: Can delete security eventssecurity.events.manage: Full access to security events
Note: Access should be limited to security administrators and senior staff.
Tips and Best Practices
Daily Monitoring
- Check the dashboard statistics every day
- Review critical and high severity events immediately
- Look for unusual patterns or spikes
- Investigate any locked accounts
- Monitor failed login attempts
Pattern Recognition
- Watch for multiple failed logins from same IP
- Look for attempts on multiple accounts
- Notice access from unusual locations
- Identify time-based patterns (attacks often occur at night)
- Track escalating severity levels
Incident Response
- Document all security incidents
- Take screenshots of relevant events
- Export related audit logs
- Notify appropriate personnel
- Follow your incident response plan
- Update security measures based on findings
Alert Configuration
- Configure alerts in Security Settings
- Set appropriate thresholds for notifications
- Use multiple alert channels (email, database)
- Test alert delivery regularly
- Ensure alerts go to monitored addresses
Event Retention
- Keep security events for compliance period
- Export and archive old events
- Delete only after thorough investigation
- Maintain separate backup of critical events
- Document retention policy
Integration with Other Tools
- Cross-reference with audit logs
- Check IP addresses in IP whitelist
- Review user accounts in user management
- Correlate with system logs
- Use external threat intelligence
Troubleshooting
Problem: Too Many False Positives
Solution:
- Review and adjust severity thresholds in Security Settings
- Whitelist known safe IPs
- Adjust failed login thresholds
- Fine-tune suspicious activity detection
- Document known patterns to ignore
Problem: Missing Expected Events
Solution:
- Verify security monitoring is enabled in Security Settings
- Check that event logging is working
- Review application logs for errors
- Verify database connectivity
- Check that the event type is being tracked
Problem: Not Receiving Alerts
Solution:
- Verify alert configuration in Security Settings
- Check that monitoring is enabled
- Verify email addresses are correct
- Test mail configuration
- Check spam/junk folders
- Review application logs for email errors
Problem: Can't Determine if Event is Legitimate
Solution:
- Check audit logs for related actions
- Contact the user to verify activity
- Review IP address location
- Check user agent for device information
- Look at timing and patterns
- When in doubt, investigate further
Problem: Overwhelming Number of Events
Solution:
- Use filters to focus on high/critical events
- Adjust thresholds to reduce noise
- Whitelist known safe IPs
- Set up automated alerts for critical events only
- Review and clean up old events regularly
- Consider implementing rate limiting
Problem: Can't Delete Events
Solution:
- Verify you have
security.events.deletepermission - Check if event is locked or protected
- Review application logs for errors
- Try refreshing the page
- Contact system administrator
Related Modules
- Audit Logs: Detailed logs of all administrative actions
- Security Settings: Configure security monitoring and alerts
- IP Whitelist: Manage allowed IP addresses
- Users: Manage user accounts that appear in events
- Two-Factor Authentication: Additional security layer
Quick Links
Need More Help?
Our comprehensive documentation covers everything from basic setup to advanced configurations. Check out these additional resources: