26 Security Events Every SaaS Should Track

You're logging errors. You're tracking user signups. But are you logging the events that actually matter for security?

Most SaaS applications have massive blind spots in their security logging. When an incident happens—and it will—you need to answer questions like:

• Who accessed what, and when?
• What changed before the breach?
• How did the attacker get in?

Without proper security event logging, you're flying blind.

Here are the 26 security events every SaaS should be tracking, organized by category.

Authentication Events

These are your first line of defense. Authentication events tell you who's trying to get in, and whether they succeeded.

1. auth.login_success

Every successful login. This is your baseline for normal behavior.

What to capture:

• User ID and email
• IP address
• User agent
• Timestamp
• Authentication method (password, SSO, magic link)

2. auth.login_failed

Failed login attempts are critical for detecting brute force attacks.

What to capture:

• Attempted username/email
• IP address
• Failure reason (invalid password, user not found, account locked)
• Attempt count

Alert threshold: 5+ failures from the same IP or for the same account within 10 minutes.

3. auth.logout

Track when sessions end intentionally.

4. auth.password_reset

Password resets can be legitimate—or a sign of account takeover.

What to capture:

• Who initiated (user or admin)
• IP address
• Whether MFA was required

5. auth.mfa_enabled

Celebrate this one. A user securing their account is always good news.

6. auth.mfa_disabled

This is a warning sign. MFA disabled could mean:

• Account takeover in progress
• Social engineering succeeded
• Legitimate user preference (but still worth monitoring)

Recommended action: Send notification to user's backup email.

7. auth.session_expired

Normal behavior, but useful for understanding session patterns.

8. auth.token_refreshed

Token refresh patterns can reveal session hijacking attempts.

Authorization Events

Authentication tells you who someone is. Authorization tells you what they're trying to do.

9. authz.access_denied

Someone tried to access something they shouldn't. Could be a misconfigured role, or could be reconnaissance.

What to capture:

• User ID
• Requested resource
• Required permission
• User's current permissions

Alert threshold: 10+ denials from the same user in 1 hour.

10. authz.permission_granted

A new permission was assigned to a user or role.

11. authz.permission_revoked

A permission was removed. Important for compliance auditing.

12. authz.role_changed

Role changes can be legitimate or signs of privilege escalation.

What to capture:

• Who made the change
• Target user
• Previous role → New role

Admin Events

Admin actions are high-impact. Every single one should be logged.

13. admin.user_created

New accounts being created, especially outside normal signup flow.

14. admin.user_deleted

Account deletion. Critical for compliance and incident investigation.

15. admin.user_suspended

Account suspension. Track who suspended and why.

16. admin.privilege_escalation

This is critical. Any elevation of privileges should trigger immediate review.

Examples:

• User promoted to admin
• New permissions added to existing admin
• Service account created with elevated access

Recommended action: Immediate Slack/email notification to security team.

17. admin.settings_changed

Global application settings modified. Changes here affect everyone.

What to capture:

• Setting name
• Previous value → New value
• Who made the change

18. admin.api_key_created

New API key generated. API keys are often more powerful than user accounts.

What to capture:

• Key name/identifier (never the key itself)
• Assigned permissions
• Who created it

19. admin.api_key_revoked

API key deactivated. Track whether this was manual or automatic (expiration, security event).

Data Events

Data is what attackers are after. Monitor how it's accessed.

20. data.sensitive_access

Access to PII, financial data, or other sensitive information.

Examples:

• Viewing another user's profile (admin action)
• Exporting customer list
• Accessing payment information

21. data.export

Any bulk data export. This is a top indicator of data exfiltration.

What to capture:

• Export type (CSV, JSON, PDF)
• Number of records
• Data types included
• Destination (download, email, integration)

Alert threshold: Any export over 1,000 records, or any export to external email.

22. data.bulk_delete

Mass deletion is either cleanup or destruction.

What to capture:

• Number of records
• Data type
• Who initiated
• Whether recoverable (soft delete vs hard delete)

Recommended action: Require confirmation for deletes over 100 records.

Security Events

These are explicit security incidents or near-misses.

23. security.brute_force_detected

Your system detected a brute force pattern. This should trigger automated responses.

Automated responses:

• Temporary IP block
• Account lockout
• CAPTCHA requirement
• Alert to security team

24. security.suspicious_activity

Catch-all for anomalies that don't fit other categories.

Examples:

• Login from new country
• Unusual access pattern
• Multiple failed payments
• Rapid API requests

25. security.rate_limit_exceeded

Someone is hitting your API hard. Could be a bug, could be an attack.

What to capture:

• Endpoint hit
• Request count
• Time window
• IP address and user (if authenticated)

26. security.ip_blocked

An IP was blocked, either automatically or manually.

What to capture:

• IP address
• Block reason
• Duration
• Who/what initiated the block

Implementing These Events

Here's how to implement comprehensive security event tracking with LiteSOC:

import { LiteSOC, SecurityEvents } from '@litesoc/sdk';

const litesoc = new LiteSOC({
  apiKey: process.env.LITESOC_API_KEY,
});

// Track a failed login
await litesoc.track({
  event: SecurityEvents.AUTH_LOGIN_FAILED,
  actor: {
    id: attemptedUserId,
    email: attemptedEmail,
  },
  ip: request.ip,
  metadata: {
    reason: 'invalid_password',
    attempt_count: failedAttempts,
  },
});

// Track privilege escalation (critical)
await litesoc.track({
  event: SecurityEvents.ADMIN_PRIVILEGE_ESCALATION,
  actor: {
    id: adminUser.id,
    email: adminUser.email,
  },
  ip: request.ip,
  metadata: {
    target_user_id: targetUser.id,
    previous_role: 'user',
    new_role: 'admin',
    reason: 'Promoted to admin by CEO',
  },
});

What Happens After You Track?

Logging is step one. What you do with the logs matters more:

1. Real-time alerting: Critical events (brute force, privilege escalation, bulk exports) should trigger immediate notifications.

2. Behavioral analysis: LiteSOC's AI analyzes patterns to detect anomalies—like a user suddenly logging in from a new country or accessing resources they've never touched before.

3. Compliance reporting: When auditors ask "show me all admin actions in the last 90 days," you can answer in seconds.

4. Incident investigation: When something goes wrong, you have a complete timeline of what happened.

Start Today

You don't need to implement all 26 events on day one. Start with the critical ones:

Week 1:

• auth.login_success
• auth.login_failed
• auth.mfa_disabled

Week 2:

• admin.privilege_escalation
• admin.user_created
• admin.user_deleted

Week 3:

• data.export
• data.bulk_delete
• security.brute_force_detected

Week 4:

• Everything else

In 30 days, you'll have comprehensive security visibility. That's the difference between "we got hacked" and "we detected and stopped an attack."

---

Ready to implement security event tracking? Get started with LiteSOC — it takes less than 10 minutes.