The 26 Security Events Every SaaS Should Track
Not sure what to log? Here's the definitive list of security events that matter—organized by category with implementation examples.
The 26 Security Events Every SaaS Should Track
"What should we be logging?"
It's a question every engineering team asks eventually—usually right before an incident, or right after.
The answer isn't "everything." That creates noise. The answer is: log the events that matter for security, compliance, and incident response.
Here are the 26 security events we recommend tracking, organized by category. This is the same taxonomy LiteSOC uses internally, and it's based on patterns from hundreds of SaaS applications.
Authentication Events
These events track how users prove their identity.
| Event Type | When to Track |
|---|---|
user.login.success | User successfully authenticates |
user.login.failed | Authentication attempt rejected |
user.logout | User ends their session |
user.mfa.enabled | User enables two-factor authentication |
user.mfa.disabled | User disables two-factor authentication |
user.mfa.challenge.success | User passes MFA challenge |
user.mfa.challenge.failed | User fails MFA challenge |
Why it matters: 81% of breaches involve compromised credentials (Verizon DBIR). These events are your first line of defense.
Account Lifecycle Events
These events track changes to user accounts.
| Event Type | When to Track |
|---|---|
user.created | New user account created |
user.deleted | User account removed |
user.email.changed | User changes their email address |
user.password.changed | User changes their password |
user.password.reset_requested | Password reset flow initiated |
user.password.reset_completed | Password successfully reset |
Why it matters: Account takeover often starts with a password reset or email change. These events help you detect and investigate compromises.
Authorization Events
These events track permission and access changes.
| Event Type | When to Track |
|---|---|
user.role.updated | User's role or permissions changed |
user.invited | User invited to organization |
user.removed | User removed from organization |
team.member.added | User added to a team |
team.member.removed | User removed from a team |
Why it matters: Privilege escalation is a key step in most attacks. Tracking role changes helps you detect insider threats and compromised admin accounts.
API & Integration Events
These events track programmatic access to your system.
| Event Type | When to Track |
|---|---|
api_key.created | New API key generated |
api_key.revoked | API key invalidated |
api_key.used | API key used for authentication |
webhook.created | Webhook endpoint configured |
webhook.deleted | Webhook endpoint removed |
oauth.authorized | OAuth app granted access |
oauth.revoked | OAuth app access revoked |
Why it matters: API keys and OAuth tokens are credentials too. Leaked keys are a common attack vector—tracking creation and usage helps you detect abuse.
Data Access Events
These events track access to sensitive information.
| Event Type | When to Track |
|---|---|
data.exported | User exports data from the system |
data.viewed | User accesses sensitive records |
data.deleted | User deletes records |
Why it matters: Data exfiltration is often the goal of an attack. These events create an audit trail for what was accessed and by whom.
System Events
These events track infrastructure and configuration changes.
| Event Type | When to Track |
|---|---|
settings.updated | System settings changed |
billing.plan.changed | Subscription plan modified |
Why it matters: Configuration changes can create security vulnerabilities. Billing changes might indicate account compromise.
Implementation Checklist
Use this checklist to audit your current logging:
Must Have (Critical)
user.login.successuser.login.faileduser.password.changeduser.password.reset_requesteduser.role.updatedapi_key.createdapi_key.revoked
Should Have (Important)
user.createduser.deleteduser.mfa.enableduser.mfa.disableddata.exportedoauth.authorizedoauth.revoked
Nice to Have (Comprehensive)
user.logoutuser.invitedapi_key.useddata.viewed(for sensitive records)settings.updated
What Makes a Good Security Event
Every event should include:
| Field | Description | Example |
|---|---|---|
event_type | Standardized event name | user.login.success |
timestamp | When it happened (UTC) | 2024-01-15T09:32:17Z |
actor.id | Who did it | usr_abc123 |
actor.email | Actor's email | alice@acme.com |
target | What was affected (if applicable) | { type: "user", id: "usr_xyz" } |
metadata.ip_address | Where it came from | 203.0.113.42 |
metadata | Additional context | { method: "sso", provider: "okta" } |
Getting Started
If you're starting from zero, implement in this order:
- Week 1: Authentication events (login, logout, password changes)
- Week 2: Authorization events (role changes, invitations)
- Week 3: API events (key creation, OAuth grants)
- Week 4: Data access events (exports, sensitive views)
Or, use LiteSOC and implement all 26 in an afternoon. Our SDK normalizes events automatically and handles the infrastructure so you can focus on shipping.
Start tracking security events →
Have questions about which events to prioritize for your specific use case? Email us at hello@litesoc.io—we're happy to help you build your security logging strategy.
Stay Updated
Get the latest security insights and product updates delivered to your inbox. No spam, unsubscribe anytime.