# LiteSOC — Complete LLM Context Document > This document contains the full public knowledge base of LiteSOC for use by AI editors > and code-generation tools (Cursor, Claude, Copilot, etc.). > Index: https://litesoc.io/llms.txt — Generated: 2026-04-14T18:41:48.531Z - **Website:** https://litesoc.io - **API Base:** https://api.litesoc.io - **Blog:** https://blog.litesoc.io - **Docs:** https://litesoc.io/docs/api --- # LiteSOC — About > Building the future of Security Observability. Enterprise-grade forensics and behavioral intelligence for every startup. - **Website:** https://litesoc.io/about ## Mission LiteSOC gives every startup the same forensic depth and behavioral intelligence that enterprise security teams rely on — delivered as a clean API you can integrate in minutes. ## Core Values ### Trust SOC 2 ready from day one. Full audit trails, transparent data practices, and compliance tooling baked into every layer — not bolted on later. ### Simplicity One API call. No agents to install, no complex configuration, no security PhD required. Integrate in under 2 minutes and get real insight immediately. ### Innovation Behavioral AI, Impossible Travel detection, geo-anomaly baselines, and VPN/Tor fingerprinting — built for startups, not just Fortune 500 teams. ## Key Stats | Metric | Value | |---|---| | Events processed daily | 1M+ | | Standard event types | 26 | | Integration time | < 2 min | | API p99 latency | < 50ms | --- # LiteSOC — How It Works > Application-level security that works like a CCTV inside your house, not just a fence around it. Setup in 2 minutes. - **Website:** https://litesoc.io/how-it-works ## The Analogy | Layer | Tool | What It Does | |---|---|---| | Network-level (fence outside) | Cloudflare, WAF | Stops strangers from getting into your property. Blocks bots, DDoS attacks, and known bad actors before they reach your door. | | Application-level (CCTV inside) | LiteSOC | Watches what happens after someone walks through the front door. Records who came in, what they touched, and alerts you if someone starts acting suspiciously — even if they had a key. | ## Setup Steps ### Step 1: Create your free account Sign up at litesoc.io. It takes less than a minute. No credit card needed. You will get an API key immediately — that is the only thing you need to connect your app. ### Step 2: Place the API call at the right spots in your app LiteSOC is not just a login monitor. For full coverage, you call the API at different sensitive points in your app: ```typescript // 1. After login (auth events) await litesoc.track({ event: 'auth.login', userId: user.id }); // 2. In your Admin Panel (privilege escalation events) await litesoc.track({ event: 'authz.role_change', userId: user.id, metadata: { from: 'viewer', to: 'admin' } }); // 3. In Data Management (bulk delete / export events) await litesoc.track({ event: 'data.bulk_delete', userId: user.id, metadata: { recordCount: 500, table: 'customers' } }); // 4. In Account Settings (password & MFA change events) await litesoc.track({ event: 'auth.password_change', userId: user.id }); await litesoc.track({ event: 'auth.mfa_enabled', userId: user.id }); ``` ### Step 3: LiteSOC watches what happens inside your app Every time someone logs in, accesses a resource, or performs a sensitive action, LiteSOC records it. It automatically enriches each event with the user's location, device, IP risk score, and whether they are using a VPN or Tor. ### Step 4: Get alerted the moment something suspicious happens If LiteSOC detects unusual behaviour — like a user logging in from two different countries within an hour, or multiple failed login attempts — it sends you an instant alert via Slack, email, or webhook. ## Frequently Asked Questions **Q: Is LiteSOC like Cloudflare?** No. Cloudflare is a fence around your house. It protects your server from attacks before they reach your app. LiteSOC is a CCTV inside the house. It watches what happens after someone gets in. You ideally want both. **Q: What does 'application-level security' mean?** It means LiteSOC works inside your app, not at the network level. Instead of looking at raw network traffic, it tracks real user actions — logins, data access, account changes — with full context about who did what, when, and from where. **Q: Do I need to be a security expert to use this?** Not at all. LiteSOC is designed for developers and founders, not security teams. You add one line of code after your login check, connect your Slack, and you are done. **Q: Will it slow down my app?** No. LiteSOC sends events in the background asynchronously. The average latency added is less than 50ms, and it does not block your app from responding. **Q: What is 'impossible travel'?** Impossible travel is when the same account logs in from two locations that are physically impossible to travel between in the time gap between logins. For example: logged in from Kuala Lumpur at 9am, then from London at 9:05am. **Q: Does it work with Supabase, Firebase, or Auth0?** Yes. LiteSOC has native integrations with Supabase Auth, Auth0, Firebase Auth, Clerk, and NextAuth.js. Setup takes under 2 minutes. --- # LiteSOC — Features > Enterprise-grade security that scales with your startup. Behavioral AI, forensic maps, and SOC 2 compliant security logs. - **Website:** https://litesoc.io/features - **Docs:** https://litesoc.io/docs/api ## Core Ingestion Engine ### Smart Event Normalizer LiteSOC automatically maps 40+ messy log formats into 26 Standard Security Events, giving you a unified view across your entire stack. ### REST API First No heavy agents. No complex deployments. A simple REST API call from your existing codebase. Start tracking security events in minutes, not months. - 26 Standard Events - 40+ Format Support - < 50ms Average Latency ### 26 Standard Security Event Types `auth.login_success`, `auth.login_failed`, `auth.logout`, `auth.password_reset`, `auth.mfa_enabled`, `auth.mfa_disabled`, `auth.session_expired`, `auth.token_refreshed`, `authz.access_granted`, `authz.access_denied`, `authz.permission_granted`, `authz.role_changed`, `admin.user_created`, `admin.user_deleted`, `admin.role_changed`, `admin.settings_changed`, `admin.api_key_created`, `admin.api_key_revoked`, `admin.user_impersonation`, `data.export`, `data.sensitive_access`, `data.deletion`, `security.brute_force_detected`, `security.suspicious_activity`, `security.ip_blocked`, `security.rate_limit_exceeded` ## Behavioral AI & Threat Detection ### Impossible Travel Detection Uses Haversine-formula distance calculation to detect physically impossible login patterns. Example: Kuala Lumpur at 9:00 AM → London at 9:05 AM = 10,557 km in 5 minutes. Requires Pro plan or above. ### Geo-Anomaly Detection Builds a 30-day behavioral baseline of each user's login locations. Flags logins from new, unexpected countries — especially from the high-risk list. Requires Pro plan or above. ### Brute Force Detection Detects repeated failed login attempts and generates security alerts. Basic detection on Free, Advanced on Pro and Enterprise with faster detection windows and combined threat correlation. ### High-Risk Countries - 🇰🇵 North Korea (KP) - 🇮🇷 Iran (IR) - 🇷🇺 Russia (RU) - 🇨🇳 China (CN) - 🇧🇾 Belarus (BY) - 🇻🇪 Venezuela (VE) - 🇸🇾 Syria (SY) - 🇨🇺 Cuba (CU) ## Forensic Intelligence Every event is automatically enriched with: - **GeoIP:** City, country, region, coordinates, timezone - **Network Intelligence:** VPN/Tor/proxy detection, datacenter identification, ASN lookup, ISP data - **Threat Scoring:** Automated risk assessment based on network signals - **Device Fingerprinting:** User agent parsing, SDK vs browser detection ## Role-Based Access Control (RBAC) - **Owner** — Full control including billing, team management, and danger zone actions (All permissions) - **Admin** — Manage team members, configure settings, and view all data (Team + Settings + Data) - **Member** — View and interact with security events and alerts (Events + Alerts) - **Viewer** — Read-only access to dashboards and reports (Read Only) ## Integrations - **SDKs:** Node.js, Python, PHP (official) - **Alerts:** Email, Slack, Discord, Webhooks - **Automation:** n8n node (LiteSOC Trigger + LiteSOC Action) - **Auth Providers:** Supabase Auth, Auth0, Firebase Auth, Clerk, NextAuth.js --- # LiteSOC — Pricing > Simple, transparent pricing. Secure your SaaS at any scale. Start free, upgrade when you need more. - **Website:** https://litesoc.io/pricing - **Signup:** https://litesoc.io/signup ## Plans ### Free Perfect for side projects and getting started **Price:** Free - 5,000 events/month - 7-day event retention - Basic threat detection - Email alerts - 1 team member - Email support --- ### Pro For growing teams with serious security needs **Price:** $15/mo (or $12.5/mo billed yearly) - 50,000 events/month - 30-day event retention - Advanced threat detection - Impossible Travel detection - Geo-Anomaly detection - Slack & Discord alerts - 10 team members (coming soon) - Webhook integrations - Priority email support --- ### Enterprise For organizations with advanced security requirements **Price:** $99/mo (or $82.5/mo billed yearly) - 500,000 events/month - 90-day event retention - Custom threat models - IP whitelisting (CIDR support) - SAML/OIDC Single Sign-On - Compliance audit logs - Unlimited team members (coming soon) - Dedicated support - SLA guarantee --- ### Custom Tailored solutions for large enterprises with specific needs **Price:** Custom pricing - Unlimited / Negotiable events - 1-2 Year event retention - Custom threat models + Dedicated Assistance to Setup - IP whitelisting (CIDR support) - Enforced SSO across all members - Unlimited History / Exportable for Regulators - Unlimited team members - Dedicated Account Manager & Technical Lead - 99.99% Uptime Guarantee with Financial Credits - Custom DPA, MSA, and Security Questionnaires ## Feature Comparison #### Events & Storage | Feature | Free | Pro | Enterprise | Custom | |---|---|---|---|---| | Monthly Events | 5,000 | 50,000 | 500,000 | Unlimited / Negotiable | | Event Retention | 7 days | 30 days | 90 days | 1 Year - 2 Years | | Events per Second | 10 | 100 | 1,000 | Unlimited / Dedicated Throughput | | Rate Limit (Requests/Min) | 100 | 500 | 2,000 | Customizable / Unlimited | #### Threat Detection | Feature | Free | Pro | Enterprise | Custom | |---|---|---|---|---| | Basic Threat Detection | ✓ | ✓ | ✓ | ✓ | | Brute Force Detection | Basic | Advanced | Advanced | Advanced + Predictive ML | | Geo-Anomaly Detection | ✗ | ✓ | ✓ | ✓ | | Impossible Travel Detection | ✗ | ✓ | ✓ | ✓ | | Custom Threat Models | ✗ | ✗ | ✓ | Dedicated Assistance to Setup | | Custom Severity Levels | ✗ | ✗ | ✓ | ✓ | #### Alerts & Integrations | Feature | Free | Pro | Enterprise | Custom | |---|---|---|---|---| | Email Alerts | ✓ | ✓ | ✓ | ✓ | | Slack Integration | ✗ | ✓ | ✓ | ✓ | | Discord Integration | ✗ | ✓ | ✓ | ✓ | | Webhook Integrations | ✗ | ✓ | ✓ | Forward to AWS S3, BigQuery, Splunk | | Custom Alert Rules | ✗ | ✗ | ✓ | ✓ | #### Security & Access | Feature | Free | Pro | Enterprise | Custom | |---|---|---|---|---| | API Access | Event Tracking | Full Access | Full Access | Full Access + Dedicated API Endpoint | | GeoIP Enrichment | ✓ | ✓ | ✓ | ✓ | | Authorized Origins (CORS) | 1 Domain | 5 Domains | Unlimited | Unlimited | | Wildcard Subdomains | ✗ | ✓ | ✓ | ✓ | | Audit Logs (Compliance) | ✗ | ✓ | ✓ | Unlimited History / Exportable for Regulators | | SAML/OIDC SSO | ✗ | ✗ | ✓ | Enforced SSO across all members | | IP Whitelisting (CIDR) | ✗ | ✗ | ✓ | ✓ | | Data Residency | ✗ | ✗ | ✓ | Choose region for data storage | #### Team & Support | Feature | Free | Pro | Enterprise | Custom | |---|---|---|---|---| | Team Members | 1 | 10 | Unlimited | Unlimited | | Community Support | ✓ | ✓ | ✓ | ✓ | | Priority Email Support | ✗ | ✓ | ✓ | ✓ | | Dedicated Support | ✗ | ✗ | ✓ | Dedicated Account Manager & Technical Lead | | SLA Guarantee | ✗ | ✗ | ✓ | 99.99% Uptime Guarantee with Financial Credits | | Custom Contracts | ✗ | ✗ | ✗ | Custom DPA, MSA, and Security Questionnaires | ## Frequently Asked Questions **Q: What happens if I exceed my event limit?** We'll notify you via email when you're approaching your limit. Once exceeded, new events will be queued but not processed until you upgrade your plan or the next billing cycle begins. Your existing data remains fully accessible. **Q: Is my data secure?** Absolutely. We use industry-standard AES-256 encryption for data at rest and TLS 1.3 for data in transit. Our database implements Row Level Security (RLS) to ensure strict data isolation between organizations. We're also SOC 2 Type II compliant. **Q: Can I cancel anytime?** Yes, you can cancel your subscription at any time from your dashboard settings. Your subscription will remain active until the end of your current billing cycle, and you'll retain access to all features until then. No questions asked. **Q: Do you support custom retention periods?** Yes! Enterprise customers can request custom data retention periods beyond the standard 90 days. Contact our sales team to discuss your specific compliance and data retention requirements. **Q: How does the 14-day free trial work?** When you sign up for Pro, you get full access to all Pro features for 14 days—no credit card required. At the end of your trial, you can choose to subscribe or automatically downgrade to our Free plan with no data loss. **Q: Can I upgrade or downgrade my plan?** Absolutely! You can upgrade anytime and your new features will be available immediately. When downgrading, your current plan remains active until the end of your billing cycle. All plan changes can be made directly from your dashboard settings. **Q: What payment methods do you accept?** We accept all major credit cards (Visa, Mastercard, American Express) through our secure payment processor, Stripe. Enterprise customers can also pay via invoice with NET-30 terms. **Q: Do you offer refunds?** We offer a 14-day money-back guarantee on all paid plans. If you're not satisfied within the first 14 days of your subscription, contact our support team for a full refund. **Q: How do I integrate LiteSOC with my application?** Integration is simple! We provide official SDKs for Node.js, Python, and PHP, plus a REST API for any other language. Most developers are up and running in under 10 minutes. Check out our documentation for step-by-step guides. **Q: What happens to my data if I downgrade?** Your data is never deleted when downgrading. However, you'll only be able to access data within your new plan's retention period. For example, if you downgrade from Pro (30-day retention) to Free (7-day retention), you'll see the most recent 7 days of events. --- # LiteSOC — Security & Compliance Center > Built with security at its core. From infrastructure to application layer, we implement industry best practices to protect your data. - **Website:** https://litesoc.io/security - **Security Audit Score:** 97% (February 24, 2026) - **Responsible Disclosure:** https://litesoc.io/acknowledgements ## Trust Badges - 256-bit AES Encryption - Row Level Security (RLS) - PII Auto-Redaction - MFA Support - 100% Audit Logging ## Infrastructure Security ### SOC 2 Type 1 Ready Our infrastructure and processes are designed to meet SOC 2 Type 1 compliance requirements for security, availability, and confidentiality. ### Enterprise Data Centers Hosted on AWS and Vercel infrastructure with ISO 27001 certified data centers, geographic redundancy, and 99.99% uptime SLA. ### 256-bit AES Encryption All data at rest is encrypted using AES-256 encryption. Data in transit is protected with TLS 1.3, the latest encryption standard. ### DDoS Protection Enterprise-grade DDoS mitigation through Cloudflare and Vercel Edge Network, protecting against volumetric and application-layer attacks. ## Data Protection ### Structured Logging with Auto-Redaction Our server-side logging system automatically detects and masks sensitive data before it reaches any log storage. - Automatic PII detection and masking (emails, names, IPs) - API key auto-redaction (whsk_*, x-api-key headers) - JWT token masking in request/response logs - Password and secret detection with automatic removal - Session ID and cookie value redaction ### Row Level Security (RLS) PostgreSQL Row Level Security ensures complete data isolation between tenants at the database layer. - Database-enforced multi-tenant isolation - No cross-organization data access possible - Policies applied at query execution time - Protection against application-layer bugs ### Secure API Key Storage API keys are one-way hashed using SHA-256 before storage. Original keys cannot be recovered from our database. - SHA-256 hashed storage (irreversible) - Keys shown only once at creation - Instant key regeneration capability - Automatic key rotation reminders ## Access Control ### Multi-Factor Authentication (MFA) TOTP-based two-factor authentication with authenticator app support and secure recovery codes. - TOTP authenticator app support (Google, Authy, etc.) - Secure recovery code generation - MFA enforcement available for Enterprise - Rate-limited verification attempts ### Session Management - Secure HTTP-only session cookies - Automatic session expiration (configurable) - View and revoke active sessions - Device and location tracking - Sign out from all devices instantly ### Role-Based Access Control (RBAC) | Role | Description | |---|---| | Owner | Full access including billing, user management, and organization deletion | | Admin | Manage settings, API keys, integrations, and view all security data | | Viewer | Read-only access to dashboards, events, and alerts | ## Audit Trail - 100% Administrative Action Logging — every action captured with timestamp, actor, IP address, and change details - Exportable Audit Logs — CSV or JSON format for compliance reporting - Tamper-Evident Records — append-only logs protected by Row Level Security - 90-Day Retention (Enterprise) — extended retention available upon request ## Vulnerability Management - **Automated Dependency Scanning:** Continuous scanning using GitHub Dependabot and Snyk - **Static Code Analysis:** Automated scanning on every commit - **Responsible Disclosure Program:** We welcome security researchers to report vulnerabilities - **Regular Security Updates:** Critical patches deployed within 24 hours ## Compliance Status | Standard | Status | |---|---| | SOC 2 Type 1 | Ready | | SOC 2 Type 2 | Ready | | PDPA (Malaysia) | Ready | | GDPR (EU) | Ready | | Cyber Security Act 2024 (Malaysia) | Ready | | Data Residency Options | Available (APAC, EU, US) | --- # LiteSOC — Changelog > Stay up to date with the latest features, improvements, and fixes. - **Website:** https://litesoc.io/changelog ## v2.1.0 — April 11, 2026 **LiteSOC Agent — Infrastructure Monitoring & Server Health** Introducing the LiteSOC Agent: a lightweight, open-source Go binary that runs on your servers and streams real-time health metrics to your dashboard. Includes automated offline detection, security alerts, and multi-channel notifications when a server goes down. - **[New]** New litesoc-agent: a single-binary Go agent installed via one-line curl script. Sends heartbeats every 60 seconds with hostname, OS, CPU, and RAM metrics. - **[New]** Heartbeat Ingestion API (Edge Runtime): new POST /api/v1/agent/heartbeat endpoint validates agent payloads with Zod, upserts server records, and returns within milliseconds. - **[New]** Infrastructure Dashboard: real-time server grid showing online/offline status, OS, CPU/RAM gauges, and last-seen timestamps. Powered by Supabase Realtime for instant updates. - **[New]** Server Offline Detection: automated cron worker runs every 5 minutes, marks servers as offline after a missed heartbeat window, and creates security alerts for each newly-offline server. - **[New]** Server Down Notifications: offline alerts trigger Email notifications for all tiers, plus Slack, Discord, and Webhook delivery for Pro and Enterprise plans. - **[New]** One-click install dialog: the Infrastructure Dashboard includes a copy-paste install command with automatic API key and project ID injection. - **[Security]** Agent heartbeat API enforces tenant isolation, validates API key server-side, and throttles audit log writes to one per server per hour via Redis TTL. - **[Improved]** New infrastructure_servers table with RLS policies. --- ## v2.0.0 — April 2, 2026 **LLM-Friendly Public API — AI Context Layer** Introduced a complete LLM compatibility layer for the LiteSOC public site. Every public-facing page now has a corresponding raw Markdown route, a central /llms.txt index, a full-context /llms-full.txt document, and an AI Editor banner on the onboarding and API docs pages. - **[New]** New /llms.txt route: central index following the llmstxt.org proposal, linking all public Markdown routes and official SDK repositories (Node.js, Python, PHP). - **[New]** Markdown routes for all public pages: /pricing.md, /features.md, /security.md, /about.md, /docs.md, /how-it-works.md, /changelog.md, /help.md, /docs/api.md, /docs/integrations.md — each returns a text/markdown response kept in sync with the UI via shared data modules. - **[New]** New /llms-full.txt dynamic route: concatenates all static product pages, the full API reference, every help center article (with full body content), and all published blog posts fetched live from the database into a single Markdown document for AI agents. - **[New]** 'AI Editor' banner added to the Dashboard Integration Guide and the public API Docs page, shows a one-click copyable @https://litesoc.io/llms.txt string with instructions for Cursor and Claude. - **[New]** 'LLM Friendly' link added to the site footer, pointing to /llms.txt. --- ## v1.9.9 — March 18, 2026 **Critical Pipeline Fix — Brute Force Alerts & Free-Tier View Event** Fixes a race condition in the worker pipeline that prevented new brute force alerts from being created, adds the View Event button for Free-tier users, and fixes dismissed alerts reappearing on realtime updates. - **[Fixed]** Worker pipeline ordering: events are now inserted into the database before alerts are created, preventing a foreign key constraint failure on trigger_event_id that silently blocked new brute force (and all other) alert creation across all tiers. - **[Fixed]** Dismissed alerts no longer reappear when new alerts arrive via realtime. The filter now checks the server-synced status field ('dismissed', 'resolved') in addition to local component state. - **[New]** Free-tier users can now see the 'View Event' button on brute force alerts, providing basic forensic visibility into the triggering event without requiring a Pro upgrade. --- ## v1.9.8 — March 18, 2026 **Free-Tier UX Overhaul — Dismiss Alerts, Dynamic Incident Storyline & Cleaner Dashboard** A complete quality-of-life pass for Free-tier users: a lightweight Dismiss workflow replaces the forced upgrade wall for alert management, the Incident Storyline now shows contextually accurate labels per alert type with correlated event counts, and the retention notice is redesigned as a thin, dismissible info bar. - **[New]** Dismiss Alert for Free users: Free-tier users can now dismiss open alerts directly from the Behavioral Anomalies card and Forensic Sheet via a new ghost-style 'Dismiss' button. - **[New]** Automatic housekeeping for Free accounts: the daily retention cron now auto-dismisses any 'open' or 'acknowledged' alert older than 7 days for Free-plan organizations. - **[New]** Dynamic Incident Storyline labels: the Discovery step now shows a contextually accurate sublabel per alert type. - **[New]** Retention Info Bar: the large blurred overlay block below the Activity Feed table is replaced with a compact, single-line dismissible bar. - **[Improved]** Optimistic UI for alert dismissal: dismissed alerts are removed from the Behavioral Anomalies card immediately on click without waiting for the server response. - **[Security]** dismissAlertAction enforces server-side tenant isolation, requires org membership, is idempotent for already-dismissed alerts. Audited as 'alert.dismissed' in the SOC 2 audit log. --- ## v1.9.7 — March 12, 2026 **LiteSOC Merch Store** Launched an official merchandise store at /merch with plan-aware pricing, Stripe Checkout for physical goods with shipping address collection, a confetti success page, and a new merch_orders table. - **[New]** New /merch page: high-end product gallery (Tee, Hoodie, Cap, Mug, Stickers) with dark-mode Zinc-950 styling. - **[New]** Plan-aware pricing: Enterprise users see a 'Claim for Free' button for the Official LiteSOC Tee; Pro users receive a 20% member discount. - **[New]** createMerchCheckoutSession Server Action: Stripe Checkout in payment mode with shipping address collection. - **[New]** New merch_orders table with RLS: stores user_id, org_id, item_name, size, shipping_status, and stripe_session_id. - **[Improved]** Added merch.order_placed and merch.free_claim_redeemed audit log actions for SOC 2 compliance tracking. --- ## v1.9.6 — March 11, 2026 **Advanced Custom Threat Model Engine (Enterprise Tier)** Custom Threat Models now support multi-condition AND/OR/NOT logic, deep metadata field filtering, result grouping, and chained-event detection. - **[New]** Advanced condition schema: conditions now support { logical_operator: 'AND' | 'OR' | 'NOT', filters: [...], group_by? }. - **[New]** Deep metadata filtering: filter fields now resolve dot-notation paths up to two levels deep. - **[New]** Chained event ('FOLLOWED BY') detection: new chained_event_type and chain_time_window_minutes columns. - **[Improved]** Redis pipeline batching: primary event counter increments are now pipelined (single round-trip). --- ## v1.9.5 — March 11, 2026 **Network Intelligence Hardening & Security Fixes** A focused quality-of-life and security pass fixing incorrect network type detection, a free-tier data-leak in the Management API, and inconsistent Server IP display. - **[Fixed]** network_type now correctly stored as 'datacenter' (or 'vpn'/'proxy'/'tor') when detected via ASN/GeoIP enrichment. - **[Fixed]** Network Type badge in the Event Detail panel now derives the correct value from the already-resolved flags. - **[Fixed]** Metadata redaction for free tier now also covers is_datacenter, network_type, and network_provider keys. - **[Fixed]** Server IP (Origin) row in Event Detail is now suppressed when the value is meaningless. - **[Improved]** GET /api/v1/events/:id _redacted_fields response field now accurately lists all nullified columns. --- ## v1.9.4 — March 10, 2026 **Automated Monthly Security Digest** LiteSOC now emails a dashboard-style security summary at the start of each month. - **[New]** Monthly Security Digest email with dashboard-in-email layout. - **[New]** Top 3 Attacking IPs table and Top Attacking Country indicator. - **[New]** 'View Full Forensic History' button in digest email. - **[Improved]** Opt-in by design: only sent when 'monthly_reports_enabled' is true. - **[Security]** Endpoint secured with constant-time CRON_SECRET check and audited service client. - **[Security]** Redis-based deduplication ensures only one digest email per org per month. --- ## v1.9.3 — March 9, 2026 **Instant Security Alert Notifications** Pro and Enterprise users now see a pop-up notification the moment a new security alert is detected. - **[New]** Real-time alert pop-ups: notifications appear instantly when new security alerts are detected. - **[New]** Severity-based styling: Critical (red), High (amber), Medium/Low (neutral). - **[New]** Smart grouping during attack bursts: multiple alerts within 3 seconds are grouped. - **[New]** 'View Details' button opens the full forensic investigation panel. - **[Security]** Alert notifications available on Pro and Enterprise plans only. --- ## v1.9.2 — March 9, 2026 **Faster Dashboard Updates, Smarter Alert Emails & Multi-Asset Guidance** Dashboard now reflects new security events in under 5 seconds. Alert emails are reliably delivered even without explicit alert address. - **[New]** Near-instant dashboard updates: new security events appear in under 5 seconds. - **[New]** Live 'Syncing' indicator: animated badge appears when new events are arriving. - **[New]** Alert email fallback: notifications auto-sent to account owner and admins when no alert email is configured. - **[Improved]** Multi-asset guidance in API docs: track events from multiple websites with a single API key. --- ## v1.9.1 — March 7, 2026 **Security Event Details, Impossible Travel Map & Dashboard Polish** Full event drill-down from the Activity Feed, expanded impossible travel map with Google Maps export, and hydration fixes. - **[New]** Security event details viewable inline from Activity Feed and Behavioral Anomalies panel. - **[Fixed]** Impossible travel alerts now correctly render the travel path map with distance and time details. - **[Improved]** Event detail sidebar identifies the event source (SDK vs browser-based events). - **[New]** Purple top-of-page loading bar on navigation. --- ## v1.9.0 — March 3, 2026 **Batch Ingestion & SDK v2.5.0** High-volume ingestion with Redis pipelining, batch event collection, and updated SDKs. - **[New]** New batch ingestion endpoint: send up to 100 events in a single POST /collect request. - **[Improved]** Ingestion pipeline now uses Redis pipelining for event queue writes. - **[Security]** Rate limiting and quota enforcement are now batch-aware. - **[Improved]** Node SDK v2.5.0, Python SDK v2.5.0, PHP SDK v2.5.0: added trackBatch/track_batch helpers. --- ## v1.8.0 — March 1, 2026 **SDK v2.1.0 & Production Readiness** Major SDK updates with enhanced threat intelligence, improved alert management, and expanded event tracking. - **[Security]** Completed comprehensive security audit across all platform components. - **[New]** New forensics data in alerts: VPN/Tor/proxy detection, datacenter identification, ASN lookup, threat scoring. - **[New]** Enhanced geolocation: city, country, region, coordinates, and timezone. - **[New]** 26 predefined security event types across auth, admin, authorization, data, and security categories. - **[Improved]** Node.js SDK: Full TypeScript support. Python SDK: Type hints and dataclasses. --- ## v1.7.0 — February 26, 2026 **Security & Performance Improvements** Enhanced security controls, improved webhook reliability, and database performance optimizations. - **[Security]** Strengthened quota enforcement and enhanced multi-tenant data isolation. - **[New]** Automatic data retention enforcement based on plan (Free: 7d, Pro: 30d, Enterprise: 90d). - **[New]** Webhook retry with exponential backoff — up to 3 retries. - **[New]** SDK timeout protection prevents blocking on slow network conditions. - **[Improved]** Faster dashboard loading with optimized database queries. --- ## v1.6.0 — February 26, 2026 **Pro Trial & Plan-Based Signup Flow** Complete overhaul of signup and billing flows with 14-day Pro trial. - **[New]** 14-day Pro trial automatically starts when you sign up. - **[New]** Billing status syncs automatically when you open your dashboard. - **[New]** Expanded FAQ section on pricing page with 10 commonly asked questions. - **[Improved]** Plan upgrades reflect immediately in your dashboard after checkout. --- ## v1.5.0 — February 24, 2026 **Security Audit & Compliance** Comprehensive security audit completed. SOC 2 Type 1 ready with enhanced security controls. - **[Security]** SOC 2 Type 1 compliance verified and audit-ready. - **[Security]** Automatic PII redaction for sensitive data in logs. - **[Security]** RBAC enforced across all features. MFA enforcement for account security. - **[New]** Behavioral anomaly detection for impossible travel scenarios. - **[New]** Geo-anomaly detection flags logins from high-risk regions. - **[New]** Instant alert notifications via Email, Slack, and Discord. --- ## v1.4.0 — February 23, 2026 **CORS Configuration & Authorized Origins** New Authorized Origins feature for browser-based integrations with wildcard subdomain support. - **[New]** Configure Authorized Origins (CORS) in Settings → General for browser-based API calls. - **[New]** Wildcard subdomain support for Pro and Enterprise plans. - **[New]** Plan-based limits: Free (1 origin), Pro (5 + wildcards), Enterprise (unlimited + wildcards). - **[Security]** CORS validation prevents overly broad wildcard domains. --- ## v1.3.0 — February 22, 2026 **Dashboard UX Enhancements** Improved Activity Feed and Anomalies Center with severity indicators and clearer explanations. - **[New]** Severity column added to Activity Feed and Anomalies Center. - **[New]** Helpful tooltips explaining event severity vs. alert severity differences. - **[Improved]** API docs updated with High-Risk Countries list for Geo-Anomaly detection. --- ## v1.2.0 — February 20, 2026 **Legal & Documentation Update** Added comprehensive legal pages and improved API documentation. - **[New]** Added dedicated API Documentation page at /docs/api. - **[New]** Added Privacy Policy, Terms of Service, and Security page. - **[New]** Added GDPR-compliant cookie consent banner. - **[Improved]** Improved code examples with copy-to-clipboard functionality. --- ## v1.1.0 — February 19, 2026 **Real-time Activity Feed & UX Improvements** Real-time event updates and improved user experience across the dashboard. - **[New]** Real-time Activity Feed — events appear instantly without page refresh. - **[New]** Custom 404 and error pages. Toast notifications. Skeleton loaders. - **[Improved]** Settings page redesigned with improved navigation. --- ## v1.0.0 — February 15, 2026 **Initial Release** The first public release of LiteSOC — Security Observability for Startups. - **[New]** Security event ingestion API with real-time processing. - **[New]** Interactive dashboard with activity charts and security health score. - **[New]** Brute force detection, geo-anomaly detection, Slack and Discord webhooks. - **[New]** API key management with secure storage. Usage tracking with monthly event limits. - **[Security]** Complete data isolation between organizations. AES-256 encryption at rest. TLS 1.3 in transit. --- # LiteSOC — API Reference > Complete API documentation for the LiteSOC Security Observability platform. - **Base URL (Ingestion):** https://api.litesoc.io/collect - **Base URL (Management):** https://api.litesoc.io - **Authentication:** `X-API-Key: YOUR_API_KEY` header required on all requests - **Website:** https://litesoc.io/docs/api ## Getting Started ### Authentication All requests must include your API key in the `X-API-Key` header: ```bash curl -X POST https://api.litesoc.io/collect \ -H "X-API-Key: YOUR_API_KEY" \ -H "Content-Type: application/json" \ -d '{"event": "auth.login_success", "actor": {"id": "user_123"}}' ``` Find your API key in the LiteSOC Dashboard under Settings → API Keys. ### Quick Start (TypeScript) ```typescript interface Actor { id: string; email?: string; } const LSOC_ENDPOINT = 'https://api.litesoc.io/collect'; export async function trackEvent(event: string, actor: Actor, userIP: string, metadata?: Record) { const response = await fetch(LSOC_ENDPOINT, { method: 'POST', headers: { 'Content-Type': 'application/json', 'x-api-key': process.env.LSOC_API_KEY!, }, body: JSON.stringify({ event, actor, user_ip: userIP, metadata }), }); if (!response.ok) { throw new Error(`LiteSOC error: ${response.status}`); } return response.json(); } ``` ## Event Collection API ### POST /collect — Ingest a Security Event **Request body:** ```json { "event": "auth.login_success", "actor": { "id": "user_123", "email": "user@example.com" }, "user_ip": "203.0.113.50", "metadata": { "method": "oauth", "provider": "google" } } ``` **Responses:** - `202 Accepted` — Event queued successfully - `401 Unauthorized` — Invalid or missing API key - `403 Forbidden` — Quota exceeded or plan restriction - `429 Too Many Requests` — Rate limited ### POST /collect — Batch Ingestion Send up to 100 events in a single request: ```json { "events": [ { "event": "auth.login_success", "actor": { "id": "user_1" }, "user_ip": "203.0.113.1" }, { "event": "auth.login_failed", "actor": { "id": "user_2" }, "user_ip": "203.0.113.2" } ] } ``` ## Management API > All management endpoints require a **Pro** plan or above unless noted. | Method | Endpoint | Plan | Description | |---|---|---|---| | GET | /events | Free | List security events with pagination and filtering | | GET | /events/:id | Free | Get a single event with full forensic details | | GET | /alerts | Pro+ | List behavioral AI detection alerts | | GET | /alerts/:id | Pro+ | Get a single alert with full context | | PATCH | /alerts/:id | Pro+ | Update alert status (resolve, mark as safe) | | GET | /health | Free | API health and quota usage | ### GET /events Query parameters: - `limit` — Max results (default: 50, max: 200) - `offset` — Pagination offset - `event_type` — Filter by event name (e.g., `auth.login_failed`) - `actor_id` — Filter by actor user ID - `from` — ISO 8601 start date - `to` — ISO 8601 end date ### PATCH /alerts/:id ```json { "status": "resolved" } ``` Valid status values: `open`, `resolved`, `safe` ## 26 Standard Security Events All events are server-assigned a severity level. Client-supplied severity fields are ignored. #### Authentication | Event Name | Severity | Instant Alert | |---|---|---| | `auth.login_success` | low | — | | `auth.login_failed` | medium | — | | `auth.logout` | info | — | | `auth.password_reset` | medium | — | | `auth.mfa_enabled` | low | — | | `auth.mfa_disabled` | medium | — | | `auth.session_expired` | info | — | | `auth.token_refreshed` | info | — | #### Authorization | Event Name | Severity | Instant Alert | |---|---|---| | `authz.access_denied` | critical | ⚡ Yes | | `authz.role_changed` | critical | ⚡ Yes | | `authz.permission_granted` | info | — | | `authz.permission_revoked` | warning | — | #### Admin Actions | Event Name | Severity | Instant Alert | |---|---|---| | `admin.user_created` | low | — | | `admin.user_deleted` | high | — | | `admin.user_suspended` | high | — | | `admin.privilege_escalation` | critical | ⚡ Yes | | `admin.settings_changed` | medium | — | | `admin.api_key_created` | medium | — | | `admin.api_key_revoked` | medium | — | #### Data Access | Event Name | Severity | Instant Alert | |---|---|---| | `data.export` | medium | — | | `data.bulk_delete` | critical | ⚡ Yes | | `data.sensitive_access` | critical | ⚡ Yes | #### Security | Event Name | Severity | Instant Alert | |---|---|---| | `security.suspicious_activity` | critical | ⚡ Yes | | `security.rate_limit_exceeded` | medium | — | | `security.ip_blocked` | high | — | | `security.brute_force_detected` | critical | ⚡ Yes | ## Infrastructure & Quotas | Plan | Events/Month | Rate Limit | Retention | |---|---|---|---| | Free | 10,000 | 100 req/min | 7 days | | Pro | 500,000 | 1,000 req/min | 30 days | | Enterprise | Unlimited | Custom | 90 days | | Custom | Custom | Custom | Custom | ## Security Intelligence (Automatic Enrichment) Every ingested event is automatically enriched with: - **GeoIP** — Country, city, region, coordinates, timezone - **Network Intelligence** — VPN/Tor/proxy detection, datacenter flag, ASN, ISP - **Threat Scoring** — Risk score (0–100) based on network signals - **Behavioral AI** — Impossible Travel, Geo-Anomaly detection (Pro+) > Network Intelligence and GeoIP data are **redacted** for Free plan API responses. ## Response Headers Every API response includes plan metadata: | Header | Description | |---|---| | `X-LiteSOC-Plan` | Your current plan (free, pro, enterprise) | | `X-LiteSOC-Retention` | Retention period in days | | `X-LiteSOC-Cutoff` | ISO 8601 date of oldest available data | --- # LiteSOC — API Documentation & Integration Guide > Everything you need to integrate LiteSOC into your application. From quick start guides to complete API references. - **API Reference:** https://litesoc.io/docs/api - **Integrations:** https://litesoc.io/docs/integrations - **n8n Node Docs:** https://litesoc.io/docs/n8n - **Server Agent Docs:** https://litesoc.io/docs/integrations/agent ## Quick Start ### Install the SDK ```bash # Node.js npm install litesoc # Python pip install litesoc # PHP composer require litesoc/litesoc-php ``` ### Track a Security Event ```typescript import { LiteSOC } from 'litesoc'; const litesoc = new LiteSOC('YOUR_API_KEY'); // Track a security event litesoc.track('auth.login_success', { actorId: 'user_123', actorEmail: 'user@example.com', userIp: request.ip, metadata: { method: 'password' } }); // Use convenience methods litesoc.trackLoginFailed('user_123', { userIp: request.ip }); ``` ## Quick Links - **Quick Start** — Get started quickly with our REST API - **Security Intelligence** — Auto-enrichment with GeoIP & Network Intelligence - **Event Forensics** — Click any event to view full forensic details - **Event Types** — 26 standardized event types across 5 categories ## SDKs | Language | Package | Install | |---|---|---| | Node.js | `litesoc` | `npm install litesoc` | | Python | `litesoc` | `pip install litesoc` | | PHP | `litesoc/litesoc-php` | `composer require litesoc/litesoc-php` | ## API Host - **Ingestion:** `POST https://api.litesoc.io/collect` - **Management:** `https://api.litesoc.io/{alerts,events,health}` - **Authentication:** `X-API-Key` header (required) ## Batch Ingestion Send up to 100 events in a single request: ```bash curl -X POST https://api.litesoc.io/collect \ -H "X-API-Key: YOUR_API_KEY" \ -H "Content-Type: application/json" \ -d '{"events": [{"event_type": "auth.login_success", "actor_id": "user_1"}, ...]}' ``` --- # LiteSOC — Integrations > Connect LiteSOC to your existing auth and automation stack in minutes. - **Website:** https://litesoc.io/docs/integrations - **All Integrations:** https://litesoc.io/docs/integrations ## Official Integrations ### Supabase **Badge:** Official **Events tracked:** 6 **Setup:** One-click OAuth connection from the LiteSOC dashboard Auto-track 6 security events: signups, logins, password resets, MFA changes, user deletions. **Features:** - One-click OAuth setup — no code required - Automatically tracks 6 Supabase Auth event types - MFA enable/disable tracking included - Works with Supabase Auth v2 **Setup:** Dashboard → Integrations → Supabase → Connect with OAuth --- ### Auth0 **Badge:** Official **Setup:** Auth0 Actions or Log Streams Monitor authentication events from Auth0 with Actions or Log Streams. Full IP capture for Behavioral AI detection. **Features:** - Supports both Auth0 Actions (post-login hook) and Log Streams - Full end-user IP captured for Impossible Travel and Geo-Anomaly AI - Covers login, logout, MFA events, and more - Works with Auth0 Universal Login and custom domains **Setup:** Dashboard → Integrations → Auth0 → Install Action or configure Log Stream --- ### n8n Community Node **Badge:** Community **Package:** `n8n-nodes-litesoc` Build powerful security automation workflows with our native n8n community node. No code required. **Features:** - **LiteSOC Trigger** — react to security events and behavioral alerts in real-time - **LiteSOC Action** — query events and update alert status from any workflow - Access to 100+ n8n app connectors (Slack, Jira, PagerDuty, email, etc.) - Visual no-code workflow builder **Install:** In n8n, go to Settings → Community Nodes → Install → enter `n8n-nodes-litesoc` **Docs:** https://litesoc.io/docs/n8n ## Coming Soon | Provider | Type | Notes | |---|---|---| | Clerk | Official | Full event coverage for Clerk Auth | | Firebase | Official | Firebase Authentication integration | | WorkOS | Official | Enterprise SSO and directory sync | | Stytch | Official | Passwordless authentication events | | Okta | Official | Enterprise identity platform | ## Direct API Integration For any auth provider not listed above, use the REST API directly: ```bash curl -X POST https://api.litesoc.io/collect \ -H "X-API-Key: YOUR_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "event": "auth.login_success", "actor": { "id": "user_123", "email": "user@example.com" }, "user_ip": "203.0.113.50" }' ``` SDKs available for **Node.js** (`npm install litesoc`), **Python** (`pip install litesoc`), and **PHP** (`composer require litesoc/litesoc-php`). --- # LiteSOC — Help Center > Find answers to common questions and learn how to get the most out of LiteSOC. - **Website:** https://litesoc.io/help - **Contact:** https://litesoc.io/contact ## Help Categories ### Getting Started Initial setup and SDK installation - [Installing the LiteSOC Node.js SDK](https://litesoc.io/help/getting-started/installing-nodejs-sdk) - [Sending Your First Security Event](https://litesoc.io/help/getting-started/sending-first-event) --- ### Account Password, 2FA, and account management - [How to Reset Your Password](https://litesoc.io/help/account/reset-password) - [Using Recovery Codes to Regain Access](https://litesoc.io/help/account/recovery-codes) - [How to Delete Your Account](https://litesoc.io/help/account/delete-account) --- ### Integrations n8n, Slack, and Discord setup - [Connecting LiteSOC to n8n](https://litesoc.io/help/integrations/connecting-n8n) - [Setting Up Slack Notifications](https://litesoc.io/help/integrations/slack-notifications) --- ### Security & Compliance SOC 2, audit logs, and MFA - [SOC 2 Compliance Overview](https://litesoc.io/help/security-compliance/soc2-overview) - [Enabling Multi-Factor Authentication](https://litesoc.io/help/security-compliance/enable-mfa) --- ### Billing & Plans Invoices, upgrades, downgrades, and cancellations - [Understanding Your Invoice](https://litesoc.io/help/billing/understanding-invoice) - [Upgrading or Downgrading Your Plan](https://litesoc.io/help/billing/change-plan) --- ### Alerts & Detections Understanding threats and managing alerts - [Understanding Detection Alerts](https://litesoc.io/help/alerts-detections/understanding-alerts) - [Responding to Security Incidents](https://litesoc.io/help/alerts-detections/incident-response) --- ### Custom Threat Models Advanced detection rules, metadata filters, and a ready-to-use rule library — Enterprise only - [Custom Threat Models Overview](https://litesoc.io/help/enterprise/custom-threat-models-overview) - [Metadata Filtering & Field Reference](https://litesoc.io/help/enterprise/metadata-filtering) - [Operator Reference](https://litesoc.io/help/enterprise/operator-reference) - [Recommended Enterprise Rule Library](https://litesoc.io/help/enterprise/example-rule-library) ## Popular FAQs **Q: How do I get started with LiteSOC?** Sign up at litesoc.io, grab your API key from Settings → API Keys, and install the SDK: `npm install litesoc`. Then call `litesoc.track()` after your login handler. That's it. **Q: What happens when I exceed my monthly quota?** On the Free plan (10,000 events/month), once you hit the limit the API returns a 429 response. Your app continues to work normally — only LiteSOC tracking is paused. Upgrade to Pro for 500,000 events/month. **Q: How long is my data retained?** Free: 7 days. Pro: 30 days. Enterprise: 90 days. Custom plans can negotiate extended retention. **Q: Can I export my security data?** Yes. From the dashboard go to Events → Export. CSV and JSON formats are available. API export is available on Pro and above via `GET /events`. **Q: How do I enable two-factor authentication?** Go to Settings → Security → Enable 2FA. Scan the QR code with an authenticator app (Google Authenticator, Authy, etc.) and enter the 6-digit code to confirm. ## Account Actions | Action | Link | |---|---| | Reset Password | https://litesoc.io/forgot-password | | Lost Backup Codes | https://litesoc.io/help/account/recovery-codes | | Reset 2FA | https://litesoc.io/help/security-compliance/enable-mfa | | Delete Account | https://litesoc.io/help/account/delete-account | --- # Help Center — Full Article Content > The following are the complete bodies of every help center article. ## Installing the LiteSOC Node.js SDK - **Category:** Getting Started - **URL:** https://litesoc.io/help/getting-started/installing-nodejs-sdk - **Updated:** 2026-03-01 > Learn how to install and configure the LiteSOC Node.js SDK in your application. # Installing the LiteSOC Node.js SDK The LiteSOC Node.js SDK provides a simple and efficient way to send security events from your Node.js applications. This guide will walk you through the installation and initial configuration. ## Prerequisites Before you begin, make sure you have: - **Node.js 18+** installed on your machine - A **LiteSOC account** with an active API key - **npm** or **yarn** package manager ## Step 1: Install the SDK Install the LiteSOC SDK using your preferred package manager: ```bash # Using npm npm install @litesoc/node # Using yarn yarn add @litesoc/node # Using pnpm pnpm add @litesoc/node ``` ## Step 2: Get Your API Key 1. Log in to your [LiteSOC Dashboard](https://litesoc.io/dashboard) 2. Navigate to **Settings** → **API Keys** 3. Click **Create New API Key** 4. Copy the generated key (you won't be able to see it again) > ⚠️ **Important:** Never commit your API key to version control. Use environment variables instead. ## Step 3: Initialize the Client Create a new file or add to your existing configuration: ```typescript import { LiteSOC } from '@litesoc/node'; const litesoc = new LiteSOC({ apiKey: process.env.LITESOC_API_KEY!, // Optional: specify the region (default: 'us') region: 'us', }); export default litesoc; ``` ## Step 4: Configure Environment Variables Add your API key to your environment: ```bash # .env.local LITESOC_API_KEY=lsk_live_xxxxxxxxxxxxxxxxxxxx ``` ## Step 5: Verify the Installation Test your setup by sending a simple event: ```typescript import litesoc from './litesoc'; async function testConnection() { try { await litesoc.track({ event: 'auth.login_success', actor: { id: 'test-user-123', email: 'test@example.com', }, metadata: { test: true, }, }); console.log('✅ LiteSOC connected successfully!'); } catch (error) { console.error('❌ Connection failed:', error); } } testConnection(); ``` ## TypeScript Support The SDK is written in TypeScript and includes full type definitions. You'll get autocomplete and type checking out of the box. ```typescript import { LiteSOC, SecurityEvent } from '@litesoc/node'; const event: SecurityEvent = { event: 'auth.login_success', actor: { id: 'user-123', email: 'user@example.com', }, }; ``` ## Next Steps - [Sending your first security event](/help/getting-started/sending-first-event) - [Understanding event types](/docs/api#event-types) - [Best practices for security logging](/docs/api#best-practices) ## Troubleshooting ### "Invalid API Key" Error Make sure your API key: - Starts with `lsk_live_` (production) or `lsk_test_` (sandbox) - Has not been revoked in the dashboard - Is correctly set in your environment variables ### "Network Error" or Timeout Check that: - Your firewall allows outbound connections to `api.litesoc.io` - You have a stable internet connection - The LiteSOC status page shows no outages --- Need help? [Contact our support team](/contact) or check our [API documentation](/docs/api). --- ## Sending Your First Security Event - **Category:** Getting Started - **URL:** https://litesoc.io/help/getting-started/sending-first-event - **Updated:** 2026-03-01 > A step-by-step guide to tracking your first authentication event with LiteSOC. # Sending Your First Security Event Once you've installed the LiteSOC SDK, it's time to start tracking security events. This guide covers the fundamentals of event tracking and shows you how to send your first event. ## Understanding Security Events LiteSOC uses a standardized event schema to track security-relevant activities. Each event contains: - **event**: The event type (e.g., `auth.login_success`) - **actor**: Information about the user performing the action - **target** (optional): The resource being acted upon - **metadata** (optional): Additional context about the event ## Event Types LiteSOC supports 26 standard event types across 5 categories: | Category | Events | |----------|--------| | **auth** | login.success, login.failure, logout, mfa.enabled, mfa.disabled | | **admin** | user.created, user.deleted, role.changed, settings.changed | | **data** | export.requested, import.completed, deleted | | **security** | suspicious.activity, blocked, rate.limited | | **authz** | access.granted, access.denied, permission.changed | ## Basic Event Structure Here's the anatomy of a security event: ```typescript interface SecurityEvent { event: string; // Required: event type actor: { id: string; // Required: unique user identifier email?: string; // Optional: user's email name?: string; // Optional: user's display name }; target?: { id: string; // Resource identifier type: string; // Resource type (e.g., 'document', 'user') name?: string; // Resource name }; metadata?: Record; // Additional context } ``` ## Example: Tracking a Login Event Let's track a successful login in your authentication handler: ```typescript import litesoc from './litesoc'; import { getClientIp } from './utils'; async function handleLogin(email: string, password: string, req: Request) { // Your authentication logic const user = await authenticateUser(email, password); if (user) { // Track successful login await litesoc.track({ event: 'auth.login_success', actor: { id: user.id, email: user.email, name: user.name, }, metadata: { ip_address: getClientIp(req), user_agent: req.headers.get('user-agent'), method: 'password', }, }); return { success: true, user }; } else { // Track failed login attempt await litesoc.track({ event: 'auth.login_failed', actor: { id: 'unknown', email: email, // Log the attempted email }, metadata: { ip_address: getClientIp(req), user_agent: req.headers.get('user-agent'), reason: 'invalid_credentials', }, }); return { success: false, error: 'Invalid credentials' }; } } ``` ## Example: Tracking Data Access Track when users access sensitive data: ```typescript async function downloadReport(userId: string, reportId: string) { const report = await getReport(reportId); await litesoc.track({ event: 'data.export', actor: { id: userId, }, target: { id: reportId, type: 'report', name: report.title, }, metadata: { format: 'pdf', size_bytes: report.size, }, }); return report; } ``` ## Example: Tracking Permission Changes Monitor administrative actions: ```typescript async function changeUserRole(adminId: string, targetUserId: string, newRole: string) { const previousRole = await getUserRole(targetUserId); await updateUserRole(targetUserId, newRole); await litesoc.track({ event: 'admin.role_changed', actor: { id: adminId, }, target: { id: targetUserId, type: 'user', }, metadata: { previous_role: previousRole, new_role: newRole, }, }); } ``` ## Automatic IP Intelligence When you include an `ip_address` in your metadata, LiteSOC automatically: - ✅ Resolves geolocation (country, city, coordinates) - ✅ Detects VPN, Tor, and proxy usage - ✅ Identifies datacenter IPs - ✅ Calculates threat scores - ✅ Triggers impossible travel detection ## Best Practices 1. **Always include actor.id**: This enables user behavior analysis 2. **Use consistent event types**: Stick to the 26 standard events 3. **Include IP when available**: Enables geolocation and threat detection 4. **Don't log sensitive data**: Never include passwords, tokens, or PII in metadata 5. **Handle errors gracefully**: Wrap tracking calls in try-catch ```typescript // Good practice: non-blocking tracking try { await litesoc.track(event); } catch (error) { // Log but don't fail the main operation logger.warn('Failed to track security event', { error }); } ``` ## View Your Events After sending events, view them in your [LiteSOC Dashboard](https://litesoc.io/dashboard): 1. Go to **Events** in the sidebar 2. You'll see your events appear in real-time 3. Click any event to see the full details, including enriched IP intelligence ## Next Steps - [Understanding detection alerts](/docs/api#detections) - [Setting up Slack notifications](/help/integrations/slack-notifications) - [Connecting to n8n](/help/integrations/connecting-n8n) --- Need help? [Contact our support team](/contact) or check our [API documentation](/docs/api). --- ## Installing the LiteSOC Server Agent - **Category:** Getting Started - **URL:** https://litesoc.io/help/getting-started/installing-server-agent - **Updated:** 2026-04-11 > Deploy the open-source LiteSOC Agent on your servers for real-time SSH log forwarding and infrastructure monitoring. # Installing the LiteSOC Server Agent The LiteSOC Agent is a lightweight, open-source Go binary that runs on your servers. It tails system authentication logs in real-time, parses SSH events, and forwards structured security events to LiteSOC. It also sends heartbeats so you can monitor server health from your dashboard. ## What the Agent Does - **Real-time SSH log parsing** — detects `auth.login_failed`, `auth.login_success`, and `auth.logout` events from OpenSSH logs - **Heartbeat monitoring** — sends a health check every 60 seconds with hostname, OS, CPU, and RAM metrics - **Zero dependencies** — single static binary, no interpreter or runtime needed - **Log rotation safe** — handles `logrotate` via inotify/kqueue with no missed events ## Prerequisites - **Linux** (Debian, Ubuntu, RHEL, Fedora, CentOS, Amazon Linux, Alpine) or **macOS** - **curl** and **tar** installed - A **LiteSOC API key** from Settings → API Keys - **systemd** (optional, for service management) ## One-Line Install (Recommended) Run this command on your server: ```bash curl -sSL https://litesoc.io/install.sh | LITESOC_KEY=lsoc_live_your_key bash ``` The installer will: 1. Detect your OS and architecture 2. Download the pre-built binary from GitHub Releases 3. Write the config file to `/etc/litesoc/config.yaml` 4. Store your API key securely in `/etc/litesoc/agent.env` (mode `0600`) 5. Install and enable a `systemd` service > You can also copy the install command directly from your **Infrastructure Dashboard** — it pre-fills your API key and project ID. ## Configuration The config file lives at `/etc/litesoc/config.yaml`: ```yaml api_endpoint: https://api.litesoc.io heartbeat_interval: 60 # seconds log_watchers: - path: /var/log/auth.log # Debian/Ubuntu type: sshd # - path: /var/log/secure # RHEL/Fedora/CentOS # type: sshd ``` | Field | Default | Description | |-------|---------|-------------| | `api_endpoint` | `https://api.litesoc.io` | LiteSOC ingestion URL | | `heartbeat_interval` | `60` | Heartbeat frequency in seconds | | `log_watchers[].path` | — | Absolute path to the log file | | `log_watchers[].type` | — | Parser type (currently `sshd`) | > **Security:** The API key is never stored in the config file — it is read from the `LITESOC_KEY` environment variable. ## Supported Architectures | OS | Architectures | |-----|--------------| | Linux | `amd64`, `arm64`, `arm` | | macOS | `amd64` (Intel), `arm64` (Apple Silicon) | ## Events Emitted | Event | Trigger | Data | |-------|---------|------| | `auth.login_failed` | Failed password or invalid user | actor, source IP, port, reason | | `auth.login_success` | Accepted password/publickey | actor, source IP, port | | `auth.logout` | Disconnected from | actor, source IP, port | ## Managing the Service ```bash # Check status sudo systemctl status litesoc-agent # View logs sudo journalctl -u litesoc-agent -f # Restart after config change sudo systemctl restart litesoc-agent ``` ## Building from Source ```bash git clone https://github.com/litesoc/litesoc-agent.git cd litesoc-agent make build # → bin/litesoc-agent make build-all # cross-compile all targets ``` Run manually: ```bash export LITESOC_KEY=lsoc_live_your_key ./bin/litesoc-agent /etc/litesoc/config.yaml ``` ## Verifying the Installation After installing, check your **Infrastructure Dashboard** at [litesoc.io/dashboard/infrastructure](https://litesoc.io/dashboard/infrastructure). Your server should appear within 60 seconds with a green "Online" badge. ## Next Steps - [Monitor server health on the Infrastructure Dashboard](/dashboard/infrastructure) - [Set up Slack notifications for server-down alerts](/help/integrations/slack-notifications) - [Send custom events with the Node.js SDK](/help/getting-started/installing-nodejs-sdk) --- Need help? [Contact our support team](/contact) or check our [API documentation](/docs/api). --- ## How to Reset Your Password - **Category:** Account - **URL:** https://litesoc.io/help/account/reset-password - **Updated:** 2026-03-01 > Step-by-step guide to resetting your LiteSOC account password. # How to Reset Your Password Forgot your password? Don't worry—resetting it is quick and easy. This guide walks you through the password reset process. ## Method 1: Reset via Email (Recommended) ### Step 1: Go to the Login Page Visit [litesoc.io/login](https://litesoc.io/login) and click **"Forgot password?"** below the login form. ### Step 2: Enter Your Email Enter the email address associated with your LiteSOC account. Make sure it's the exact email you used to sign up. ``` 📧 Enter your email: you@company.com ``` ### Step 3: Check Your Inbox We'll send you a password reset link within a few minutes. Check your: - **Primary inbox** - **Spam/Junk folder** - **Promotions tab** (Gmail users) > 💡 The reset link expires in **1 hour** for security reasons. ### Step 4: Create a New Password Click the link in the email and enter your new password. Your password must: - Be at least **12 characters** long - Include at least **one uppercase letter** - Include at least **one number** - Include at least **one special character** (!@#$%^&*) ### Step 5: Log In with Your New Password After resetting, you'll be redirected to the login page. Enter your email and new password to access your account. ## Method 2: Reset While Logged In If you're already logged in and want to change your password: 1. Go to **Dashboard** → **Settings** → **Security** 2. Click **"Change Password"** 3. Enter your current password 4. Enter and confirm your new password 5. Click **"Update Password"** ## Password Requirements For your security, we enforce strong password policies: | Requirement | Description | |-------------|-------------| | Length | Minimum 12 characters | | Uppercase | At least 1 uppercase letter (A-Z) | | Lowercase | At least 1 lowercase letter (a-z) | | Numbers | At least 1 digit (0-9) | | Special | At least 1 special character | ## Using a Password Manager We strongly recommend using a password manager like: - **1Password** - **Bitwarden** (open source) - **Dashlane** - **LastPass** Password managers generate and store strong, unique passwords for each service. ## Didn't Receive the Reset Email? If you didn't receive the password reset email: 1. **Check spam/junk folders** - Sometimes emails get filtered 2. **Wait a few minutes** - Email delivery can take up to 5 minutes 3. **Try again** - Request another reset link 4. **Check the email address** - Ensure you're using the correct email 5. **Contact support** - If issues persist, [email our support team](mailto:support@litesoc.io) ## Account Locked? After 5 failed login attempts, your account is temporarily locked for 15 minutes. This is a security measure to prevent brute-force attacks. If you're locked out: - Wait 15 minutes and try again - Or reset your password immediately (this unlocks the account) ## Two-Factor Authentication (2FA) If you have 2FA enabled, you'll need to enter your authenticator code after resetting your password. If you've lost access to your authenticator: - Use one of your [recovery codes](/help/account/recovery-codes) - [Contact support](mailto:support@litesoc.io) for manual verification ## Security Tips - 🔒 Never share your password with anyone - 🔄 Use a unique password for LiteSOC (don't reuse passwords) - 📱 Enable 2FA for additional security - 🚫 Never enter your password on suspicious websites --- Need help? [Contact our support team](/contact) or check our [security documentation](/security). --- ## Using Recovery Codes to Regain Access - **Category:** Account - **URL:** https://litesoc.io/help/account/recovery-codes - **Updated:** 2026-03-01 > Learn how to use your backup recovery codes when you lose access to your authenticator app. # Using Recovery Codes to Regain Access Lost access to your authenticator app? Recovery codes are your backup method to log in to your LiteSOC account when you can't use your regular 2FA method. ## What Are Recovery Codes? Recovery codes are a set of **10 single-use codes** generated when you first enable Two-Factor Authentication (2FA). Each code can only be used once and should be stored securely offline. ``` Example Recovery Codes: ━━━━━━━━━━━━━━━━━━━━━━ XXXX-XXXX-XXXX-XXXX YYYY-YYYY-YYYY-YYYY ZZZZ-ZZZZ-ZZZZ-ZZZZ ... (7 more codes) ``` ## Using a Recovery Code ### Step 1: Start the Login Process 1. Go to [litesoc.io/login](https://litesoc.io/login) 2. Enter your email and password 3. When prompted for your 2FA code, click **"Use recovery code"** ### Step 2: Enter Your Recovery Code Enter one of your unused recovery codes. The format is typically `XXXX-XXXX-XXXX-XXXX` (16 characters with dashes). > ⚠️ **Important:** Each recovery code can only be used **once**. After use, it becomes invalid. ### Step 3: Access Restored You'll be logged in immediately. We recommend: 1. Going to **Settings** → **Security** 2. Resetting your 2FA with a new authenticator device 3. Generating new recovery codes 4. Storing the new codes securely ## Best Practices for Recovery Codes ### Where to Store Recovery Codes ✅ **Good options:** - Password manager (encrypted) - Printed copy in a safe or lockbox - Encrypted USB drive stored securely - Bank safety deposit box ❌ **Avoid:** - Email (could be compromised) - Cloud storage without encryption - Sticky notes or unsecured documents - Screenshots on your phone ### Security Recommendations 1. **Store them separately** from your password 2. **Don't keep them on the same device** as your authenticator 3. **Keep multiple copies** in different secure locations 4. **Regenerate codes** after using any ## Generating New Recovery Codes If you've used most of your codes or want new ones: 1. Log in to your LiteSOC account 2. Go to **Settings** → **Security** → **Two-Factor Authentication** 3. Click **"Regenerate Recovery Codes"** 4. Confirm with your authenticator code or a current recovery code 5. **Important:** Your old codes will be invalidated immediately 6. Store your new codes securely ## Lost All Recovery Codes? If you've lost both your authenticator access AND all recovery codes: ### Option 1: Contact Support 1. Email [support@litesoc.io](mailto:support@litesoc.io) from your registered email 2. Provide verification information: - Your full name - Organization name - Approximate account creation date - Recent activity details 3. Our team will verify your identity and help restore access ### Option 2: Organization Admin Recovery If you're part of an organization: 1. Contact your organization administrator 2. They can reset your 2FA from the admin panel 3. You'll receive an email to set up 2FA again > ⏱️ **Recovery timeline:** Support-assisted recovery typically takes 1-2 business days for security verification. ## Preventing Future Lockouts ### 1. Set Up Multiple 2FA Methods Consider adding backup authentication methods: - Multiple authenticator apps on different devices - Security keys (YubiKey, etc.) ### 2. Regular Code Audits Every 6 months: - Check how many recovery codes you have left - Regenerate if you have fewer than 5 - Verify your codes are still accessible ### 3. Authenticator App Backups Some authenticator apps support cloud backup: - **Authy** - Encrypted cloud sync - **1Password** - Built into password manager - **Google Authenticator** - Cloud sync available ## What Happens If Someone Finds My Recovery Codes? Recovery codes alone aren't enough to access your account—they also need your password. However, if you suspect your codes have been compromised: 1. Log in immediately 2. Go to **Settings** → **Security** 3. **Regenerate all recovery codes** (invalidates the old ones) 4. Review your account activity for suspicious logins 5. Consider changing your password as well --- Need help? [Contact our support team](/contact) or review our [security best practices](/security). --- ## How to Delete Your Account - **Category:** Account - **URL:** https://litesoc.io/help/account/delete-account - **Updated:** 2026-03-01 > Permanently delete your LiteSOC account and all associated data. # How to Delete Your Account We're sorry to see you go. This guide explains how to permanently delete your LiteSOC account and what happens to your data. ## Before You Delete ### What Gets Deleted When you delete your account, the following is **permanently removed**: - ✅ Your user profile and settings - ✅ All security events and logs - ✅ Detection alerts and history - ✅ API keys and webhooks - ✅ Team members (if you're the owner) - ✅ Organization data (if you're the owner) - ✅ Billing history and invoices ### What We Keep For legal and compliance reasons, we retain: - 📄 Anonymized usage statistics - 💳 Payment records (required by law for 7 years) - 📝 Audit logs related to your account deletion ## Prerequisites Before deleting your account: 1. **Export your data** - Download any events or reports you need 2. **Cancel your subscription** - Avoid future charges 3. **Transfer ownership** - If you're an org owner, transfer to another admin 4. **Revoke API keys** - Ensure no services are still sending events ## Step-by-Step Deletion ### Step 1: Log In to Your Account Visit [litesoc.io/login](https://litesoc.io/login) and sign in with your credentials. ### Step 2: Navigate to Profile Settings 1. Click your avatar in the top-right corner 2. Go to **Settings** → **Profile** 3. Scroll down to the **Danger Zone** section ### Step 3: Initiate Account Deletion 1. Click **"Delete Account"** 2. Read the warning carefully 3. Type your email address to confirm 4. Click **"Permanently Delete Account"** ### Step 4: Confirm via Email For security, we'll send a confirmation email: 1. Check your inbox for the deletion confirmation 2. Click the confirmation link within 24 hours 3. Your account will be queued for deletion ## Deletion Timeline | Stage | Timeframe | |-------|-----------| | Account disabled | Immediate | | Data deletion starts | Within 24 hours | | Complete data purge | Within 30 days | | Backup removal | Within 90 days | ## Organization Owners If you're the owner of an organization: ### Option 1: Transfer Ownership First 1. Go to **Settings** → **Team** 2. Find another admin member 3. Click **"Transfer Ownership"** 4. Confirm the transfer 5. Then delete your individual account ### Option 2: Delete the Entire Organization 1. Go to **Settings** → **Profile** → **Danger Zone** 2. This will delete: - All organization data - All team member accounts - All events and configurations 3. **This action cannot be undone** ## Reactivation ### Within 30 Days If you change your mind within 30 days: 1. Email [support@litesoc.io](mailto:support@litesoc.io) 2. Subject: "Account Reactivation Request" 3. We may be able to restore your account ### After 30 Days After 30 days, your data is permanently deleted and cannot be recovered. You'll need to create a new account. ## Alternatives to Deletion Before deleting, consider these alternatives: ### Downgrade to Free Plan Keep your account but avoid charges: 1. Go to **Settings** → **Billing** 2. Click **"Downgrade to Free"** 3. You keep 5,000 events/month ### Pause Your Account Taking a break? Contact support to pause billing while keeping your data. ### Export and Archive Download all your data for records: 1. Go to **Events** → **Export** 2. Select "All Time" 3. Download as JSON or CSV ## Frequently Asked Questions ### Can I use the same email for a new account? Yes, after your account is fully deleted (30 days), you can register with the same email. ### What happens to my team members? If you're the org owner and delete the organization, all team members lose access immediately. ### Will I get a refund? Refunds follow our [Terms of Service](/legal/terms). Contact billing@litesoc.io for questions. ### Is deletion instant? Account access is disabled immediately, but complete data deletion takes up to 30 days. --- Changed your mind? [Contact support](/contact) within 30 days to discuss reactivation. Need help with something else? Check our [Help Center](/help) or [contact us](/contact). --- ## Connecting LiteSOC to n8n - **Category:** Integrations - **URL:** https://litesoc.io/help/integrations/connecting-n8n - **Updated:** 2026-03-01 > Set up automated workflows with LiteSOC events using the n8n integration. # Connecting LiteSOC to n8n n8n is a powerful workflow automation tool that integrates seamlessly with LiteSOC. This guide shows you how to connect your LiteSOC account to n8n and create automated security workflows. ## What You Can Do With the LiteSOC + n8n integration, you can: - 🚨 Get real-time alerts for high-severity events - 📊 Send security metrics to Slack, Discord, or email - 🔄 Trigger automated responses to security threats - 📝 Create tickets in Jira, Linear, or GitHub Issues - 📧 Send daily/weekly security digests ## Prerequisites Before starting, ensure you have: - A **LiteSOC account** with events flowing - An **n8n instance** (cloud or self-hosted) - Your **LiteSOC API key** ## Step 1: Install the LiteSOC Node ### For n8n Cloud 1. Log in to your n8n Cloud workspace 2. The LiteSOC node should be available in the node library 3. Search for "LiteSOC" when adding a new node ### For Self-Hosted n8n Install the community node: ```bash # Navigate to your n8n installation directory cd ~/.n8n # Install the LiteSOC node npm install n8n-nodes-litesoc ``` Then restart your n8n instance. ## Step 2: Create LiteSOC Credentials 1. In n8n, go to **Settings** → **Credentials** 2. Click **Add Credential** 3. Search for and select **LiteSOC API** 4. Enter your credentials: | Field | Value | |-------|-------| | **API Key** | Your LiteSOC API key (`lsk_live_...`) | | **Base URL** | `https://api.litesoc.io` (default) | 5. Click **Save** ## Step 3: Create Your First Workflow ### Example: Alert on High Severity Events This workflow sends a Slack message whenever LiteSOC detects a high-severity event. #### Step-by-Step Setup **1. Add the LiteSOC Trigger Node** - Add a new node and search for "LiteSOC" - Select **LiteSOC Trigger** - Configure: - **Credential**: Select your LiteSOC credentials - **Events**: Select "All Events" or specific event types - Copy the **Webhook URL** displayed **2. Configure the Webhook in LiteSOC** - Go to your [LiteSOC Dashboard](https://litesoc.io/dashboard) - Navigate to **Settings** → **Webhooks** - Click **Add Webhook** - Paste the n8n Webhook URL - Select the events you want to receive - Click **Save** **3. Add a Filter Node** - Add an **IF** node after the LiteSOC Trigger - Set the condition: - **Field**: `{{ $json.severity }}` - **Operator**: equals - **Value**: `critical` or `high` **4. Add a Slack Node** - Add a **Slack** node to the "true" branch - Configure: - **Resource**: Message - **Channel**: #security-alerts - **Message**: ``` 🚨 *Security Alert* *Event:* {{ $json.event_type }} *Severity:* {{ $json.severity }} *Actor:* {{ $json.actor.email || $json.actor.id }} *IP:* {{ $json.ip_address }} *Location:* {{ $json.geolocation.city }}, {{ $json.geolocation.country }} <{{ $json.dashboard_url }}|View in LiteSOC> ``` **5. Activate the Workflow** Click the **Activate** toggle to enable real-time processing. ## Common Workflow Examples ### Daily Security Digest Send a daily summary of security events to email: ``` Schedule ──► LiteSOC (Get Events, last 24h) ──► Summary ──► Email ``` ### Auto-Block Suspicious IPs Automatically add IPs to a blocklist when brute force is detected: ``` LiteSOC Trigger ──► Filter (brute_force) ──► HTTP Request (Firewall API) ``` ### Create Jira Ticket for Incidents Create a ticket for manual review on critical events: ``` LiteSOC Trigger ──► Filter (critical) ──► Jira (Create Issue) ``` ## Available LiteSOC Node Operations ### Trigger Node - **On Event**: Triggered when LiteSOC sends a webhook ### Regular Node - **Get Events**: Retrieve events with filters - **Get Event**: Get a specific event by ID - **Get Alerts**: Retrieve detection alerts - **Get Actor**: Get events for a specific actor ## Webhook Payload Structure When LiteSOC sends an event to n8n, it includes: ```json { "id": "evt_abc123", "event_type": "auth.login_failed", "severity": "high", "actor": { "id": "user-123", "email": "user@example.com" }, "ip_address": "203.0.113.42", "geolocation": { "country": "Unknown", "city": "Unknown", "is_vpn": true }, "created_at": "2026-03-01T12:00:00Z", "dashboard_url": "https://litesoc.io/dashboard/events/evt_abc123" } ``` ## Troubleshooting ### Webhook Not Receiving Events 1. Verify the webhook URL is correct in LiteSOC 2. Check if the workflow is **activated** 3. Ensure n8n is accessible from the internet (for self-hosted) 4. Review n8n execution logs for errors ### Authentication Errors 1. Verify your API key is valid 2. Check if the API key has the required permissions 3. Regenerate the API key if issues persist --- Need help? Check our [n8n documentation](/docs/integrations/n8n) or [contact support](/contact). --- ## Setting Up Slack Notifications - **Category:** Integrations - **URL:** https://litesoc.io/help/integrations/slack-notifications - **Updated:** 2026-03-01 > Configure real-time security alerts in your Slack workspace. # Setting Up Slack Notifications Get real-time security alerts delivered directly to your Slack channels. This guide walks you through setting up Slack notifications for LiteSOC events. ## Overview With Slack notifications, you can: - 🚨 Receive instant alerts for security threats - 👀 Monitor login attempts and suspicious activity - 🔔 Get notified about brute force and impossible travel detections - 📊 Share security updates with your team ## Method 1: Using LiteSOC Built-in Slack Integration ### Step 1: Connect Slack 1. Log in to your [LiteSOC Dashboard](https://litesoc.io/dashboard) 2. Go to **Settings** → **Integrations** 3. Find **Slack** and click **Connect** 4. You'll be redirected to Slack to authorize LiteSOC 5. Select the workspace and channels you want to allow 6. Click **Allow** ### Step 2: Configure Notification Settings After connecting, configure which events trigger notifications: | Setting | Options | |---------|---------| | **Channel** | Select a channel (e.g., #security-alerts) | | **Event Types** | All events, or specific types | | **Severity Filter** | Critical only, High+, Medium+, or All | | **Quiet Hours** | Optionally mute during off-hours | ### Step 3: Test the Integration Click **Send Test Notification** to verify everything works. You should see a message in your selected channel. ## Method 2: Using Slack Incoming Webhooks For more control, use Slack Incoming Webhooks directly. ### Step 1: Create a Slack App 1. Go to [api.slack.com/apps](https://api.slack.com/apps) 2. Click **Create New App** → **From scratch** 3. Name your app (e.g., "LiteSOC Alerts") 4. Select your workspace ### Step 2: Enable Incoming Webhooks 1. In your app settings, go to **Incoming Webhooks** 2. Toggle **Activate Incoming Webhooks** to ON 3. Click **Add New Webhook to Workspace** 4. Select the channel for alerts (e.g., #security-alerts) 5. Click **Allow** 6. Copy the **Webhook URL** ``` Example Webhook URL: https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX ``` ### Step 3: Configure in LiteSOC 1. Go to **Settings** → **Webhooks** in LiteSOC 2. Click **Add Webhook** 3. Select **Slack** as the destination type 4. Paste your Slack Webhook URL 5. Configure filters (event types, severity) 6. Click **Save** ## Customizing Alert Messages ### Alert Format LiteSOC sends rich Slack messages with: ``` ┌────────────────────────────────────────┐ │ 🚨 Security Alert │ ├────────────────────────────────────────┤ │ Event: auth.login_failed │ │ Severity: 🔴 Critical │ │ │ │ Actor: user@example.com │ │ IP: 203.0.113.42 │ │ Location: 📍 Unknown (VPN detected) │ │ │ │ Detection: Brute Force Attack │ │ Failed attempts: 15 in 5 minutes │ │ │ │ [View in Dashboard] │ └────────────────────────────────────────┘ ``` ### Severity Colors - 🔴 **Critical** - Red sidebar - 🟠 **High** - Orange sidebar - 🟡 **Medium** - Yellow sidebar - 🟢 **Low/Info** - Green sidebar ## Channel Recommendations We recommend setting up multiple channels for different alert types: | Channel | Purpose | Severity | |---------|---------|----------| | #security-critical | Immediate attention required | Critical | | #security-alerts | Important security events | High + Critical | | #security-audit | All security events for compliance | All | ## Filtering Notifications ### By Event Type Select specific events to receive notifications for: - ✅ auth.login_failed - ✅ security.suspicious_activity - ✅ admin.role_changed - ❌ auth.login_success (too noisy) ### By Severity Filter based on severity level: - **Critical Only** - Brute force, impossible travel, blocked threats - **High and Above** - Includes failed logins, suspicious activity - **Medium and Above** - Includes permission changes - **All** - Every security event (can be noisy) ### By Actor Optionally filter for specific users or groups: - VIP users (executives, admins) - New users (first 30 days) - Service accounts ## Setting Up Quiet Hours Avoid alert fatigue with quiet hours: 1. Go to **Settings** → **Integrations** → **Slack** 2. Enable **Quiet Hours** 3. Set your quiet period (e.g., 10 PM - 8 AM) 4. Choose how to handle alerts during quiet hours: - **Suppress** - Don't send any notifications - **Batch** - Send a summary at the end of quiet hours - **Critical Only** - Only send critical alerts ## Troubleshooting ### Not Receiving Notifications 1. **Check channel permissions** - Ensure the LiteSOC app can post to your channel 2. **Verify webhook URL** - The URL should start with `https://hooks.slack.com/` 3. **Test the webhook** - Use the "Send Test" button in LiteSOC 4. **Check Slack app status** - Ensure the app isn't disabled in Slack ### Duplicate Notifications If you're receiving duplicates: 1. Check if you have multiple webhooks configured 2. Ensure you're not using both built-in Slack and n8n integration 3. Review your notification rules for overlaps ### Webhook Errors If LiteSOC shows webhook errors: 1. **401/403** - Re-authorize the Slack connection 2. **404** - The webhook URL may have been revoked; create a new one 3. **500** - Slack is having issues; check [status.slack.com](https://status.slack.com) ## Best Practices 1. **Don't over-notify** - Only send actionable alerts to avoid fatigue 2. **Use severity filters** - Critical events need immediate attention 3. **Create runbooks** - Document response procedures for each alert type 4. **Review regularly** - Audit your notification settings monthly 5. **Use threads** - Group related alerts (available with built-in integration) --- Need help? Check our [webhook documentation](/docs/api#webhooks) or [contact support](/contact). --- ## LiteSOC MCP Server for AI Editors - **Category:** Integrations - **URL:** https://litesoc.io/help/integrations/mcp-server - **Updated:** 2026-04-11 > Give Cursor, Claude Desktop, and GitHub Copilot live access to your LiteSOC alerts, events, and forensic intelligence via the MCP Server. # LiteSOC MCP Server for AI Editors The LiteSOC MCP Server (`@litesoc/mcp-server`) is an official [Model Context Protocol](https://modelcontextprotocol.io) server that gives AI editors direct, live access to your LiteSOC security data — alerts, forensic intelligence, event logs, and incident resolution. ## What You Can Do With the MCP Server connected, you can ask your AI editor questions like: - *"Show me all open critical alerts"* - *"Analyze alert alt_abc123 — is this a real attack?"* - *"Get the last 20 failed login events"* - *"Resolve alert alt_abc123 as a false positive"* The AI gets live data from your LiteSOC project and can reason about threats, suggest remediation, and resolve incidents — all from your editor. ## Prerequisites - **Node.js 18+** - A **LiteSOC API key** (`lsk_live_...`) from Settings → API Keys - **Pro or Enterprise plan** for alert access and full forensic intelligence ## Setup in Cursor Go to **Settings → MCP → Add Server** and add: ```json { "mcpServers": { "litesoc": { "command": "npx", "args": ["-y", "@litesoc/mcp-server"], "env": { "LITESOC_API_KEY": "lsk_live_your_api_key_here" } } } } ``` ## Setup in Claude Desktop Edit the config file: - **macOS:** `~/Library/Application Support/Claude/claude_desktop_config.json` - **Windows:** `%APPDATA%\Claude\claude_desktop_config.json` ```json { "mcpServers": { "litesoc": { "command": "npx", "args": ["-y", "@litesoc/mcp-server"], "env": { "LITESOC_API_KEY": "lsk_live_your_api_key_here" } } } } ``` Restart Claude Desktop after saving. ## Available Tools The MCP Server exposes four tools: | Tool | Description | Parameters | |------|-------------|------------| | **list_alerts** | Fetch open security alerts | `status`, `severity`, `alert_type`, `limit` (1–50) | | **analyze_alert** | Full forensic detail for a single alert — VPN/Tor detection, geolocation, ISP, threat score | `alert_id` | | **get_recent_events** | Fetch latest raw security event logs | `limit` (1–50), `event_name`, `actor_id`, `severity` | | **resolve_incident** | Mark an alert as resolved with SOC 2 audit trail | `alert_id`, `resolution_type`, `notes` | ### Resolution Types When resolving an incident, use one of: - `blocked_ip` — Source IP has been blocked - `reset_password` — User password was reset - `contacted_user` — User was contacted to verify - `false_positive` — Not a real threat - `other` — Custom resolution ## Plan Requirements | Feature | Free | Pro | Enterprise | |---------|------|-----|------------| | `get_recent_events` | ✅ (network intel redacted) | ✅ | ✅ | | `list_alerts` | ❌ | ✅ | ✅ | | `analyze_alert` | ❌ | ✅ | ✅ | | `resolve_incident` | ❌ | ✅ | ✅ | Every response includes a footer showing your current plan, retention window, and data cutoff date. ## Security - All queries are scoped to your organization and project (tenant isolation enforced server-side) - The API key is read from the environment at runtime — never persisted or logged by the server - Uses stdio transport — no network ports are opened on your machine ## Troubleshooting ### "Check your LITESOC_API_KEY" - Verify the key starts with `lsk_live_` - Ensure the key has not been revoked in your dashboard - Check the `env` block in your MCP config ### "Upgrade to Pro" Alert-related tools (`list_alerts`, `analyze_alert`, `resolve_incident`) require a Pro or Enterprise plan. ### "Outside retention window" The alert or event ID may be older than your plan's retention period. Check the `X-LiteSOC-Cutoff` date in the response footer. --- Need help? Check our [API documentation](/docs/api) or [contact support](/contact). --- ## LLM-Friendly Routes (llms.txt) - **Category:** Integrations - **URL:** https://litesoc.io/help/integrations/llms-txt - **Updated:** 2026-04-11 > Learn about the /llms.txt and /llms-full.txt routes that let AI agents access LiteSOC documentation as structured Markdown. # LLM-Friendly Routes (llms.txt) LiteSOC follows the [llmstxt.org](https://llmstxt.org) proposal to make its public documentation accessible to AI agents and LLM-powered tools. Two routes are available: ## /llms.txt — Compact Index **URL:** [https://litesoc.io/llms.txt](https://litesoc.io/llms.txt) A lightweight Markdown file that serves as a central index linking to all public documentation. It includes: - **Documentation links** — API Reference, Integrations (Supabase, Auth0, n8n, MCP, Server Agent), How It Works, Features, Changelog - **Company pages** — Pricing, Security, About, Help Center - **SDK repositories** — Node.js, Python, PHP on GitHub ### Usage in AI Editors To give your AI editor full context about LiteSOC, paste this into Cursor or Claude: ``` @https://litesoc.io/llms.txt ``` The AI will fetch the index and follow the linked documentation as needed. ## /llms-full.txt — Full Knowledge Base **URL:** [https://litesoc.io/llms-full.txt](https://litesoc.io/llms-full.txt) A single Markdown document containing the **entire public knowledge base** in one request. This includes: 1. All product pages (About, Features, Pricing, Security, Changelog) 2. Full API Reference and Integration docs 3. Every Help Center article with complete content 4. All published blog posts This route is ideal for AI agents that need comprehensive context without making multiple requests. The content is cached for 1 hour and refreshed automatically. ## When to Use Which | Route | Best For | Size | |-------|----------|------| | `/llms.txt` | Quick reference, link-following agents | ~2 KB | | `/llms-full.txt` | Full-context ingestion for deep analysis | ~100 KB+ | ## Markdown Routes for Individual Pages Every public page also has a `.md` variant that returns raw Markdown: - `/pricing.md`, `/features.md`, `/security.md`, `/about.md` - `/docs.md`, `/docs/api.md`, `/docs/integrations.md` - `/how-it-works.md`, `/changelog.md`, `/help.md` These are useful if your AI tool only needs context about a specific page. ## AI Editor Banner The Dashboard Integration Guide and the public API Docs page both display an "AI Editor" banner with a one-click copyable `@https://litesoc.io/llms.txt` string for Cursor and Claude. --- Need help? Check our [API documentation](/docs/api) or [contact support](/contact). --- ## SOC 2 Compliance Overview - **Category:** Security & Compliance - **URL:** https://litesoc.io/help/security-compliance/soc2-overview - **Updated:** 2026-03-01 > Understand how LiteSOC helps you achieve and maintain SOC 2 compliance. # SOC 2 Compliance Overview LiteSOC is designed to help startups achieve and maintain SOC 2 compliance. This guide explains what SOC 2 is, how LiteSOC supports your compliance journey, and what evidence we provide for audits. ## What is SOC 2? SOC 2 (Service Organization Control 2) is a security framework developed by the AICPA that defines criteria for managing customer data based on five "Trust Service Criteria": 1. **Security** - Protection against unauthorized access 2. **Availability** - System accessibility and uptime 3. **Processing Integrity** - Accurate and complete data processing 4. **Confidentiality** - Protection of confidential information 5. **Privacy** - Personal information handling ## How LiteSOC Helps ### Security Audit Logs LiteSOC automatically captures and retains security events required for SOC 2 audits: - Authentication events (logins, failures, MFA) - Authorization changes (role changes, permissions) - Data access events (exports, deletions) - Administrative actions (settings changes) ### Immutable Audit Trail All events logged to LiteSOC are: - **Timestamped** with microsecond precision - **Immutable** - cannot be modified or deleted by users - **Retained** according to your plan (7-90 days) - **Exportable** for audit evidence ### Real-Time Threat Detection Demonstrate active security monitoring with: - Brute force attack detection - Impossible travel detection - Geo-anomaly alerts - Suspicious activity flagging ## SOC 2 Evidence from LiteSOC When preparing for a SOC 2 audit, export these reports: | Report | SOC 2 Control | Location | |--------|---------------|----------| | Login Event Summary | CC6.1 | Dashboard → Reports | | Failed Login Report | CC6.1 | Dashboard → Reports | | MFA Enrollment Status | CC6.1 | Dashboard → Reports | | Role Change Audit | CC6.2 | Dashboard → Reports | | Data Export Log | CC6.5 | Dashboard → Reports | ## LiteSOC's Own Compliance We practice what we preach: - ✅ **SOC 2 Type 1** - Assessment complete - 🔄 **SOC 2 Type 2** - In progress - ✅ **GDPR Compliant** - EU data protection - ✅ **Data Encryption** - AES-256 at rest, TLS 1.3 in transit --- Need compliance documentation? [Contact our team](/contact) for your audit support package. --- ## Enabling Multi-Factor Authentication - **Category:** Security & Compliance - **URL:** https://litesoc.io/help/security-compliance/enable-mfa - **Updated:** 2026-03-01 > Secure your account with two-factor authentication using authenticator apps. # Enabling Multi-Factor Authentication (MFA) Two-factor authentication (2FA) adds an extra layer of security to your LiteSOC account. This guide shows you how to enable and manage MFA. ## Why Enable MFA? - 🔒 Protect against password breaches - 🛡️ Required for SOC 2 compliance - ✅ Industry security best practice - 🚫 Prevents unauthorized access even if password is compromised ## Supported Methods LiteSOC supports TOTP (Time-based One-Time Password) authenticator apps: - **Google Authenticator** (iOS/Android) - **Authy** (iOS/Android/Desktop) - **1Password** (built-in) - **Microsoft Authenticator** - **Any TOTP-compatible app** ## Enabling MFA ### Step 1: Access Security Settings 1. Log in to your [LiteSOC Dashboard](https://litesoc.io/dashboard) 2. Click your profile in the top right 3. Go to **Settings** → **Security** ### Step 2: Enable Two-Factor Authentication 1. Find the **Two-Factor Authentication** section 2. Click **Enable 2FA** 3. Enter your password to confirm ### Step 3: Scan the QR Code 1. Open your authenticator app 2. Tap **Add Account** or the **+** button 3. Choose **Scan QR Code** 4. Point your camera at the QR code on screen Can't scan? Click **"Enter code manually"** and type the secret key. ### Step 4: Verify Setup 1. Enter the 6-digit code shown in your authenticator 2. Click **Verify** 3. 2FA is now enabled! ### Step 5: Save Recovery Codes **Critical step!** You'll be shown 10 recovery codes: 1. Click **Download** or **Copy** 2. Store them securely (password manager, safe, etc.) 3. These codes let you log in if you lose your phone ## Using MFA to Log In After enabling MFA, your login flow becomes: ``` Email → Password → 6-digit code from app → Dashboard ``` ## Managing MFA ### Regenerate Recovery Codes 1. Go to **Settings** → **Security** 2. Click **Regenerate Recovery Codes** 3. Old codes are immediately invalidated 4. Save your new codes securely ### Disable MFA 1. Go to **Settings** → **Security** 2. Click **Disable 2FA** 3. Enter your password and a valid 2FA code 4. Confirm the action > ⚠️ Disabling MFA reduces your account security. Only do this temporarily if switching devices. ## Best Practices 1. **Use a reputable authenticator** - Avoid SMS-based 2FA 2. **Backup your codes** - Store recovery codes offline 3. **Enable on all accounts** - Use 2FA everywhere you can 4. **Use app backup features** - Authy and others support encrypted backup --- Lost access to your authenticator? Use a [recovery code](/help/account/recovery-codes) or [contact support](/contact). --- ## Understanding Your Invoice - **Category:** Billing & Plans - **URL:** https://litesoc.io/help/billing/understanding-invoice - **Updated:** 2026-03-01 > Learn how to read and download your LiteSOC invoices. # Understanding Your Invoice This guide explains how to view, download, and understand your LiteSOC invoices. ## Accessing Invoices 1. Log in to your [LiteSOC Dashboard](https://litesoc.io/dashboard) 2. Go to **Settings** → **Billing** 3. Click **Invoice History** ## Invoice Details Each invoice includes: | Field | Description | |-------|-------------| | Invoice Number | Unique identifier (INV-XXXXXX) | | Invoice Date | When the invoice was generated | | Due Date | Payment due date (typically immediate for cards) | | Plan | Your subscription plan (Free, Pro, Enterprise) | | Period | Billing period covered | | Events | Events used vs. included | | Overage | Additional charges if over quota | | Total | Total amount charged | ## Downloading Invoices 1. Find the invoice in your history 2. Click the **Download PDF** button 3. Invoices are formatted for accounting and expense reports ## Payment Methods We accept: - Credit/Debit cards (Visa, Mastercard, Amex) - ACH bank transfers (US only, Enterprise) - Wire transfers (Enterprise) --- Questions about your invoice? [Contact billing support](mailto:billing@litesoc.io). --- ## Upgrading or Downgrading Your Plan - **Category:** Billing & Plans - **URL:** https://litesoc.io/help/billing/change-plan - **Updated:** 2026-03-01 > How to change your LiteSOC subscription plan. # Upgrading or Downgrading Your Plan Need more events or features? Or scaling down? This guide covers how to change your LiteSOC plan. ## Current Plans | Plan | Events/Month | Retention | Price | |------|-------------|-----------|-------| | Free | 5,000 | 7 days | $0 | | Pro | 50,000 | 30 days | $15/mo | | Enterprise | 500,000 | 90 days | $99/mo | ## Upgrading Your Plan ### From Free to Pro 1. Go to **Settings** → **Billing** 2. Click **Upgrade to Pro** 3. Enter payment details 4. Your new limits apply immediately! ### From Pro to Enterprise 1. Go to **Settings** → **Billing** 2. Click **Contact Sales** under Enterprise 3. We'll schedule a call to discuss your needs 4. Custom pricing based on volume ## Downgrading Your Plan ### From Pro to Free 1. Go to **Settings** → **Billing** 2. Click **Manage Plan** 3. Select **Free Plan** 4. Confirm the downgrade **Important considerations:** - Your current billing period continues until expiry - Data older than 7 days will be deleted after downgrade - Event quota reduces to 5,000/month ## Proration - **Upgrades**: Prorated charge for remaining period - **Downgrades**: Credit applied to future billing ## Cancellation To cancel your subscription: 1. Go to **Settings** → **Billing** 2. Click **Cancel Subscription** 3. Tell us why (optional feedback) 4. Confirm cancellation Your data is retained for 30 days after cancellation. --- Questions? [Contact our sales team](/contact) or [view pricing](/pricing). --- ## Understanding Detection Alerts - **Category:** Alerts & Detections - **URL:** https://litesoc.io/help/alerts-detections/understanding-alerts - **Updated:** 2026-03-01 > Learn how LiteSOC detects threats and what each alert type means. # Understanding Detection Alerts LiteSOC uses behavioral AI to automatically detect security threats in your application. This guide explains the different types of alerts and how to respond to them. ## Alert Types LiteSOC detects several types of security threats: ### 🔴 Brute Force Attack **What it is:** Multiple failed login attempts from the same IP or targeting the same account. **Trigger conditions:** - 5+ failed logins in 5 minutes from same IP - 10+ failed logins targeting same account in 1 hour **Recommended actions:** 1. Check if it's a legitimate user who forgot their password 2. Consider temporarily blocking the IP 3. Enable rate limiting on your login endpoint 4. Require CAPTCHA after failed attempts ### 🟠 Impossible Travel **What it is:** A user logging in from two geographically distant locations in an impossibly short time. **Trigger conditions:** - Login from Location A, then Location B - Distance/time ratio exceeds 500 mph (physically impossible) **Example:** - Login from New York at 10:00 AM - Login from London at 10:30 AM - Distance: ~3,500 miles in 30 minutes = impossible **Recommended actions:** 1. Verify the user hasn't shared credentials 2. Check for VPN usage (may trigger false positives) 3. Contact the user to confirm legitimate access 4. Consider forcing password reset ### 🟡 Geo-Anomaly **What it is:** Login from an unusual location for that user. **Trigger conditions:** - First login from a new country - Login from a country on your blocklist - Unusual location pattern for the user **Recommended actions:** 1. Send the user a "new login location" notification 2. Require additional verification (MFA) 3. Review if the location is expected (travel, remote work) ### 🔴 Suspicious Network **What it is:** Login from a high-risk network (VPN, Tor, datacenter IP). **Trigger conditions:** - Connection through known VPN provider - Tor exit node detected - Datacenter/cloud provider IP (not residential) **Recommended actions:** 1. Assess your risk tolerance for VPN users 2. Consider blocking Tor access for sensitive operations 3. Require additional authentication steps ## Alert Severity Levels | Severity | Color | Response Time | Examples | |----------|-------|---------------|----------| | **Critical** | 🔴 Red | Immediate | Active brute force, account takeover | | **High** | 🟠 Orange | Within 1 hour | Impossible travel, suspicious network | | **Medium** | 🟡 Yellow | Within 24 hours | Geo-anomaly, new device | | **Low** | 🟢 Green | Review weekly | Info events, successful logins | ## Managing Alerts ### Viewing Alerts 1. Go to **Dashboard** → **Alerts** 2. Alerts are sorted by severity and time 3. Click any alert for full details ### Resolving Alerts 1. Click the alert to open details 2. Review the evidence and context 3. Choose an action: - **Dismiss** - False positive, no action needed - **Acknowledge** - Noted, will monitor - **Escalate** - Requires immediate action 4. Add notes for your team ### Setting Up Notifications 1. Go to **Settings** → **Integrations** 2. Connect Slack, Discord, or email 3. Configure which severity levels trigger notifications ## Reducing False Positives ### VPN Users If your users commonly use VPNs: 1. Go to **Settings** → **Detection Rules** 2. Adjust VPN sensitivity or whitelist known providers ### Remote Teams For distributed teams: 1. Add expected countries to your allowlist 2. Adjust impossible travel thresholds 3. Consider user-specific baselines ### Service Accounts For automated systems: 1. Tag service accounts appropriately 2. Exclude them from certain detection rules 3. Use dedicated IP allowlists --- Need help tuning your alerts? [Contact support](/contact) or check our [API documentation](/docs/api). `, }, { title: "Responding to Security Incidents", slug: "incident-response", excerpt: "Step-by-step guide to handling security alerts and incidents.", lastUpdated: "2026-03-01", content: ` # Responding to Security Incidents When LiteSOC detects a potential security threat, quick and effective response is crucial. This guide provides a framework for handling security incidents. ## Incident Response Framework ### 1. Identify **Goal:** Confirm the alert is a real threat. **Steps:** 1. Review the alert details in LiteSOC 2. Check the actor's recent activity 3. Look for patterns (multiple alerts, unusual behavior) 4. Gather context (time, location, device) **Questions to ask:** - Is this a known user or attacker? - Does the activity match normal behavior? - Are there other related alerts? ### 2. Contain **Goal:** Stop the threat from spreading. **Immediate actions:** - Disable compromised accounts - Revoke active sessions - Block suspicious IPs - Disable affected API keys **In LiteSOC:** 1. Go to the alert details 2. Click **"View Actor"** 3. Use quick actions to disable/block ### 3. Investigate **Goal:** Understand the full scope. **Steps:** 1. Export affected events from LiteSOC 2. Review the timeline of activity 3. Identify all affected resources 4. Check for data access or exfiltration **Key evidence to collect:** - Login timestamps and locations - Actions performed during session - Data accessed or exported - IP addresses and user agents ### 4. Remediate **Goal:** Fix vulnerabilities and restore security. **Common remediation steps:** - Force password reset for affected users - Rotate compromised API keys - Patch identified vulnerabilities - Update firewall rules - Enable additional MFA requirements ### 5. Document **Goal:** Create a record for compliance and learning. **Document:** - Incident timeline - Root cause analysis - Actions taken - Lessons learned - Prevention measures **In LiteSOC:** 1. Add notes to the resolved alert 2. Export incident report 3. Store in your compliance records ## Common Incident Scenarios ### Scenario 1: Brute Force Attack \`\`\` Alert: 50 failed login attempts in 10 minutes Actor: unknown@attacker.com IP: 203.0.113.50 \`\`\` **Response:** 1. ✅ Block the IP immediately 2. ✅ Check if any attempts succeeded 3. ✅ Review other accounts targeted 4. ✅ Enable rate limiting 5. ✅ Consider CAPTCHA implementation ### Scenario 2: Impossible Travel \`\`\` Alert: Login from NYC, then Tokyo in 30 minutes Actor: john@company.com Risk: Account may be compromised \`\`\` **Response:** 1. ✅ Contact the user directly 2. ✅ Check if one login was via VPN 3. ✅ If suspicious, force logout all sessions 4. ✅ Require password reset 5. ✅ Review recent account activity ### Scenario 3: Data Export by Unknown IP \`\`\` Alert: Large data export from new location Actor: admin@company.com Data: 10,000 records exported \`\`\` **Response:** 1. ✅ Verify with admin user immediately 2. ✅ If unauthorized, disable account 3. ✅ Revoke data export if possible 4. ✅ Assess data sensitivity 5. ✅ Prepare breach notification if required ## Post-Incident Checklist After resolving an incident: - [ ] All affected accounts secured - [ ] Compromised credentials rotated - [ ] Root cause identified - [ ] Incident documented - [ ] Team debriefed - [ ] Detection rules updated - [ ] Monitoring enhanced - [ ] Compliance notified (if required) ## When to Escalate Escalate to leadership or legal when: - Personal data may have been accessed - Financial systems were compromised - Regulatory notification may be required - Attack is ongoing and sophisticated - You're unsure of the scope --- Need immediate help with an incident? [Contact our security team](mailto:security@litesoc.io) or call our emergency hotline. --- ## Custom Threat Models Overview - **Category:** Custom Threat Models - **URL:** https://litesoc.io/help/enterprise/custom-threat-models-overview - **Updated:** 2026-03-11 > Understand how Enterprise custom threat models let you define detection rules tailored to your application's threat surface. # Custom Threat Models (Enterprise) Custom Threat Models are Enterprise-only detection rules that let you go beyond LiteSOC's built-in detectors. You define exactly what constitutes a threat for your application — LiteSOC evaluates every incoming event against your rules in real time. ## What Makes a Custom Threat Model? Every rule has five parts: | Field | Description | Example | |-------|-------------|---------| | **Event Type** | The primary event to watch. Supports wildcards. | `auth.login_failed` or `auth.*` | | **Condition** | JSONB filter applied to matching events | See [Condition Reference](#condition-reference) | | **Threshold** | How many matching events trigger a detection | `5` | | **Time Window** | Rolling window in minutes to count events | `10` | | **Severity** | Alert severity when triggered | `critical`, `high`, `medium`, `low` | ### Optional: FOLLOWED BY (Chained Events) For multi-step attack patterns, you can add a second event type that must be observed **after** the first threshold is crossed: | Field | Description | Example | |-------|-------------|---------| | **Chained Event Type** | The event that must follow | `auth.login_success` | | **Chain Time Window** | Max minutes between primary and chained event | `15` | When both conditions are met — e.g. 5 failed logins **followed by** a successful login within 15 minutes — LiteSOC fires a **CRITICAL "Account Compromise Detected"** alert, regardless of the configured severity. The detection correlates the chained event to the **same actor or IP** that triggered the primary threshold. ## How Rules Are Evaluated Rules are evaluated **in-memory on every worker batch** (runs every 30 seconds). LiteSOC never performs database-side JSON filtering for evaluation — the entire condition tree is resolved in Node.js against the live event batch, making evaluation extremely fast even for complex nested logic. Redis counters track rolling counts per `(orgId, modelId)` key, automatically expiring after the configured time window. Sentinel keys for chained rules carry a TTL equal to the chain time window, ensuring **no state ever persists beyond 24 hours**. ## Plan Requirements Custom Threat Models are available on the **Enterprise plan only**. All rules you define are scoped to your organisation — other tenants cannot see or be affected by your rules. --- Next: [Metadata Filtering →](/help/enterprise/metadata-filtering) --- ## Metadata Filtering & Field Reference - **Category:** Custom Threat Models - **URL:** https://litesoc.io/help/enterprise/metadata-filtering - **Updated:** 2026-03-11 > Learn how to target nested JSONB fields like metadata.service or metadata.network_intelligence.is_vpn in your custom threat model conditions. # Metadata Filtering & Field Reference Every event sent to LiteSOC can carry an arbitrary `metadata` object. Custom Threat Model conditions can reach into any depth of this object using dot-notation field paths. ## Field Path Syntax Conditions reference event fields using dot-notation paths resolved left-to-right: | Path Prefix | Resolves To | Example Path | |-------------|-------------|--------------| | `metadata.` | `event.metadata[key]` | `metadata.service` | | `metadata..` | `event.metadata[a][b]` | `metadata.geo.country` | | `actor.` | `event.actor[key]` | `actor.email` | | `user_ip` | `event.user_ip` | `user_ip` | | `event` | `event.event` (the event type string) | `event` | ### Common Metadata Paths These fields are automatically populated by LiteSOC's enrichment pipeline when an IP is provided: | Field Path | Type | Description | |------------|------|-------------| | `metadata.service` | string | Your application service name (e.g. `"ssh"`, `"api"`) | | `metadata.error_code` | string | Application error code (e.g. `"invalid_password"`) | | `metadata.raw_log` | string | Raw log line — use `contains` operator for substring search | | `metadata.method` | string | Auth method (e.g. `"password"`, `"oauth"`, `"api_key"`) | | `metadata.endpoint` | string | API endpoint accessed (e.g. `"/api/v1/export"`) | | `metadata.record_count` | number | Number of records affected — use `gt`/`gte` operators | | `metadata.destination_country` | string | ISO country code for data movement rules | | `metadata.file_type` | string | File type for data export/download rules | ### Network Intelligence Fields When LiteSOC enriches an event with network intelligence, these fields are available: | Field Path | Type | Description | |------------|------|-------------| | `metadata.network_intelligence.is_vpn` | boolean | IP belongs to a known VPN provider | | `metadata.network_intelligence.is_tor` | boolean | IP is a Tor exit node | | `metadata.network_intelligence.is_proxy` | boolean | IP is an open proxy | | `metadata.network_intelligence.is_datacenter` | boolean | IP belongs to a cloud/datacenter ASN | | `metadata.network_intelligence.network_type` | string | `"residential"`, `"datacenter"`, `"vpn"`, `"tor"` | > **Note:** These fields are populated server-side by LiteSOC. You do not need to send them — they are injected during ingestion enrichment. ### Geolocation Fields | Field Path | Type | Description | |------------|------|-------------| | `metadata.country_code` | string | ISO 3166-1 alpha-2 country code (e.g. `"US"`, `"KP"`) | | `metadata.city` | string | City name | | `metadata.isp` | string | ISP / ASN name | ## Condition Shapes A condition is a JSONB object stored in the `condition` column of your rule. Three formats are supported, all fully backward-compatible: ### 1. No Condition (match all events of this type) ```json {} ``` Use this when the event type alone is sufficient — e.g. count every `data.bulk_delete` regardless of context. ### 2. Single Filter (simple equality) ```json { "field": "metadata.service", "operator": "equals", "value": "ssh" } ``` ### 3. Advanced Condition (AND / OR / NOT) ```json { "logical_operator": "AND", "filters": [ { "field": "metadata.service", "operator": "equals", "value": "ssh" }, { "field": "metadata.raw_log", "operator": "contains", "value": "invalid user" } ] } ``` The `logical_operator` must be one of `"AND"`, `"OR"`, or `"NOT"`. - **AND** — all filters must match - **OR** — at least one filter must match - **NOT** — negates the first filter only ### Optional: `group_by` Add a `group_by` hint to tell the UI which field to aggregate by in the alert detail view: ```json { "logical_operator": "AND", "filters": [...], "group_by": "user_ip" } ``` This is an annotation only — it does not affect detection logic. --- Next: [Operator Reference →](/help/enterprise/operator-reference) --- ## Operator Reference - **Category:** Custom Threat Models - **URL:** https://litesoc.io/help/enterprise/operator-reference - **Updated:** 2026-03-11 > Complete reference for all condition operators: equals, contains, not_in, regex, exists, and numeric comparisons. # Operator Reference Every filter inside a condition has three properties: `field`, `operator`, and `value`. This page documents every supported operator. ## Full Operator Table | Operator | Aliases | Value Type | Description | |----------|---------|------------|-------------| | `equals` | `eq` | string / number | Exact match (loose string coercion: `"200"` matches `200`) | | `not_equals` | `neq`, `ne` | string / number | Not equal | | `contains` | — | string | Case-insensitive substring match. Ideal for `metadata.raw_log` searches | | `not_contains` | — | string | Field does **not** contain the substring | | `starts_with` | — | string | Case-insensitive prefix match | | `ends_with` | — | string | Case-insensitive suffix match | | `gt` | `greater_than` | number | Numeric greater-than | | `lt` | `less_than` | number | Numeric less-than | | `gte` | `greater_than_or_equal` | number | Numeric ≥ | | `lte` | `less_than_or_equal` | number | Numeric ≤ | | `in` | — | array | `actualValue` is one of the array items (string coercion) | | `not_in` | — | array | `actualValue` is **not** in the array | | `exists` | — | — | Field is non-null and non-undefined. No `value` required | | `not_exists` | — | — | Field is null or undefined | | `regex` | — | string | Case-insensitive regular expression match against the field value | ## Operator Examples ### `equals` Match events where the service is exactly `"ssh"`: ```json { "field": "metadata.service", "operator": "equals", "value": "ssh" } ``` ### `contains` Find raw log lines that mention invalid SSH users: ```json { "field": "metadata.raw_log", "operator": "contains", "value": "invalid user" } ``` ### `not_in` Flag data exports to any country **not** on your approved list: ```json { "field": "metadata.destination_country", "operator": "not_in", "value": ["US", "GB", "DE", "CA", "AU"] } ``` ### `gt` (greater than) Alert when a single export exceeds 10,000 records: ```json { "field": "metadata.record_count", "operator": "gt", "value": 10000 } ``` ### `exists` Only match events where a VPN field has been populated: ```json { "field": "metadata.network_intelligence.is_vpn", "operator": "exists" } ``` ### `regex` Match user-agents that look like bots or scanners: ```json { "field": "metadata.user_agent", "operator": "regex", "value": "(sqlmap|nikto|masscan|zgrab|nuclei|nmap)" } ``` ### `in` Fire only for high-risk country logins: ```json { "field": "metadata.country_code", "operator": "in", "value": ["KP", "IR", "SY", "CU"] } ``` ## Combining Operators with AND / OR ### AND — all conditions must be true ```json { "logical_operator": "AND", "filters": [ { "field": "metadata.network_intelligence.is_datacenter", "operator": "equals", "value": "true" }, { "field": "metadata.service", "operator": "equals", "value": "ssh" } ] } ``` ### OR — at least one condition must be true ```json { "logical_operator": "OR", "filters": [ { "field": "metadata.network_intelligence.is_vpn", "operator": "equals", "value": "true" }, { "field": "metadata.network_intelligence.is_tor", "operator": "equals", "value": "true" }, { "field": "metadata.network_intelligence.is_proxy","operator": "equals", "value": "true" } ] } ``` ### NOT — negates the first filter ```json { "logical_operator": "NOT", "filters": [ { "field": "metadata.method", "operator": "equals", "value": "saml_sso" } ] } ``` This matches any event where the auth method is **not** SAML SSO. ## Common Pitfalls | Mistake | Fix | |---------|-----| | Boolean values as booleans: `"value": true` | Use string coercion: `"value": "true"` — the engine compares via `String(actual)` | | Using `regex` operator with catastrophic backtracking patterns | Test your regex externally first; invalid patterns are silently skipped | | Filtering on enriched fields (`is_datacenter`) before enrichment runs | These fields are set by LiteSOC during ingestion — always available by the time rules run | | `not_in` with an empty array | Always matches (nothing is in `[]`). Add a guard or use `exists` | --- Next: [Example Rule Library →](/help/enterprise/example-rule-library) --- ## Recommended Enterprise Rule Library - **Category:** Custom Threat Models - **URL:** https://litesoc.io/help/enterprise/example-rule-library - **Updated:** 2026-03-11 > Ready-to-use Enterprise detection rules: compromised accounts, data exfiltration, SSH botnets, credential stuffing, and more. # Recommended Enterprise Rule Library Copy these rules directly into the Custom Threat Models builder. Each rule includes the full condition JSON, recommended threshold, and the reasoning behind every parameter. --- ## Rule 1 — Compromised Account Detection (FOLLOWED BY) **Threat:** An attacker brute-forces a password and then logs in successfully with the cracked credentials — the classic account takeover chain. **Detection logic:** 10 or more `auth.login_failed` events within 10 minutes from the same actor or IP, **followed by** a successful `auth.login_success` within 15 minutes of the threshold being crossed. LiteSOC automatically correlates the chained event to the same actor or IP that triggered the primary threshold. | Setting | Value | |---------|-------| | **Event Type** | `auth.login_failed` | | **Condition** | `{}` (match all failed logins) | | **Threshold** | `10` | | **Time Window** | `10` minutes | | **Chained Event Type** | `auth.login_success` | | **Chain Time Window** | `15` minutes | | **Severity** | `high` (auto-upgraded to `critical` on breach) | **Condition JSON:** ```json {} ``` > When the chain fires, LiteSOC overrides the severity to **CRITICAL** and sets the alert name to *"Account Compromise Detected after Brute Force"* regardless of the configured severity — indicating confirmed account takeover. **Tuning tips:** - Lower the threshold to `5` for admin accounts by adding `{ "field": "actor.role", "operator": "equals", "value": "admin" }` - Increase the chain time window to `30` minutes for slower, low-and-slow attacks --- ## Rule 2 — Data Exfiltration from Non-Whitelisted Country **Threat:** An insider or compromised account exports sensitive data while connected from an unexpected geographic location — a common signal of exfiltration or a compromised session. **Detection logic:** Any `data.export` event where the destination or source country is **not** on your approved-country list. | Setting | Value | |---------|-------| | **Event Type** | `data.*` | | **Condition** | See below | | **Threshold** | `1` | | **Time Window** | `60` minutes | | **Severity** | `critical` | **Condition JSON:** ```json { "logical_operator": "AND", "filters": [ { "field": "event", "operator": "contains", "value": "export" }, { "field": "metadata.country_code", "operator": "not_in", "value": ["US", "GB", "DE", "CA", "AU", "NL", "SE", "NO", "DK", "FR"] } ], "group_by": "user_ip" } ``` **Tuning tips:** - Adjust the country allowlist to match your organisation's operating locations - Add `{ "field": "metadata.record_count", "operator": "gt", "value": 100 }` to only fire on bulk exports, reducing noise from single-record queries - Set threshold to `3` if occasional travel to non-listed countries is expected, so a single export doesn't page the team --- ## Rule 3 — SSH Botnet / Datacenter Brute Force **Threat:** Automated SSH login attacks originating from cloud/datacenter IP ranges rather than residential IPs. These are almost always scripted botnet activity or credential-stuffing tools — residential users do not SSH from AWS or Azure IP blocks. **Detection logic:** 5 or more `auth.login_failed` events within 5 minutes where the source IP is tagged as a datacenter address by LiteSOC's network intelligence enrichment. | Setting | Value | |---------|-------| | **Event Type** | `auth.login_failed` | | **Condition** | See below | | **Threshold** | `5` | | **Time Window** | `5` minutes | | **Severity** | `critical` | **Condition JSON:** ```json { "logical_operator": "AND", "filters": [ { "field": "metadata.service", "operator": "equals", "value": "ssh" }, { "field": "metadata.network_intelligence.is_datacenter", "operator": "equals", "value": "true" } ], "group_by": "user_ip" } ``` **Tuning tips:** - Remove the `metadata.service` filter to catch datacenter-sourced attacks against any service (API, admin panel, etc.) - Add `{ "field": "metadata.raw_log", "operator": "contains", "value": "invalid user" }` to narrow to SSH username enumeration specifically - Pair with IP-whitelisting to suppress alerts from your own CI/CD infrastructure (which may run in datacenters) --- ## Rule 4 — VPN / Anonymiser Access to Sensitive Endpoints **Threat:** A user accessing sensitive API endpoints (admin panel, bulk export, user management) while routing through a VPN, Tor, or open proxy — a common tactic to obscure identity during insider attacks or session hijacking. | Setting | Value | |---------|-------| | **Event Type** | `data.*` | | **Condition** | See below | | **Threshold** | `1` | | **Time Window** | `30` minutes | | **Severity** | `high` | **Condition JSON:** ```json { "logical_operator": "AND", "filters": [ { "field": "metadata.endpoint", "operator": "starts_with", "value": "/api/v1/admin" }, { "logical_operator": "OR", "filters": [ { "field": "metadata.network_intelligence.is_vpn", "operator": "equals", "value": "true" }, { "field": "metadata.network_intelligence.is_tor", "operator": "equals", "value": "true" }, { "field": "metadata.network_intelligence.is_proxy", "operator": "equals", "value": "true" } ] } ] } ``` > **Note:** Nested `OR` groups inside an outer `AND` are supported via the legacy `{ "and": [...] }` / `{ "or": [...] }` syntax for the inner group. Alternatively, flatten with three separate `OR` filters at the top level. --- ## Rule 5 — Admin Privilege Escalation Spike **Threat:** A burst of `admin.privilege_escalation` or `authz.permission.changed` events — a sign of a compromised admin account or an insider manipulating access controls before exfiltrating data. | Setting | Value | |---------|-------| | **Event Type** | `admin.*` | | **Condition** | See below | | **Threshold** | `3` | | **Time Window** | `15` minutes | | **Severity** | `critical` | **Condition JSON:** ```json { "logical_operator": "OR", "filters": [ { "field": "event", "operator": "contains", "value": "privilege_escalation" }, { "field": "event", "operator": "contains", "value": "role.changed" }, { "field": "event", "operator": "contains", "value": "permission.changed" } ], "group_by": "actor.id" } ``` --- ## Rule 6 — Scanner / Automated Attack Tool Detection **Threat:** Common attack tools (SQLMap, Nikto, Nuclei, Masscan) identified by their user-agent strings in API event logs. | Setting | Value | |---------|-------| | **Event Type** | `security.*` | | **Condition** | See below | | **Threshold** | `1` | | **Time Window** | `60` minutes | | **Severity** | `high` | **Condition JSON:** ```json { "logical_operator": "AND", "filters": [ { "field": "metadata.user_agent", "operator": "regex", "value": "(sqlmap|nikto|masscan|zgrab|nuclei|nmap|burpsuite|zap)" } ] } ``` --- ## Quick-Reference: All Six Rules | # | Rule Name | Event Type | Threshold | Window | Severity | |---|-----------|-----------|-----------|--------|----------| | 1 | Compromised Account | `auth.login_failed` → `auth.login_success` | 10 | 10 min | Critical | | 2 | Data Exfiltration | `data.*` | 1 | 60 min | Critical | | 3 | SSH Botnet | `auth.login_failed` | 5 | 5 min | Critical | | 4 | VPN + Admin Access | `data.*` | 1 | 30 min | High | | 5 | Privilege Escalation Spike | `admin.*` | 3 | 15 min | Critical | | 6 | Scanner Detection | `security.*` | 1 | 60 min | High | --- Need a custom rule for a threat not listed here? [Contact our Enterprise support team](mailto:enterprise@litesoc.io) — we'll help design it with you. --- # Blog Posts > All published posts from blog.litesoc.io ## Introducing the LiteSOC Server Agent, Real-Time SSH Monitoring in One Line - **URL:** https://blog.litesoc.io/introducing-the-litesoc-server-agent-real-time-ssh-monitoring-in-one-line - **Published:** 2026-04-12 - **Author:** Amirol Ahmad > Stream SSH security events from your servers to LiteSOC in real-time. Zero polling, zero dependencies, just one curl command to install. Until today, LiteSOC monitored your **application layer**, login attempts, MFA changes, admin actions flowing through your SDKs and integrations. But there's been a blind spot: the servers themselves. SSH brute-force attacks, unauthorized logins, and suspicious session activity all happen at the OS level, below your application code. If someone is hammering your server with failed SSH attempts at 3 AM, your app-layer monitoring won't catch it. **Today we're closing that gap.** ## Meet `litesoc-agent` The LiteSOC Server Agent is a lightweight, open-source Go binary that runs as a background service on your Linux or macOS servers. It tails your system authentication logs in real-time and streams structured security events directly to LiteSOC with **zero polling overhead**. No runtime dependencies. No interpreters. No sidecars. Just a single static binary. ## ⚡ One-Line Install Get up and running in seconds: ```bash curl -sSL https://litesoc.io/install.sh | LITESOC_KEY=lsoc_live_xxx bash ``` The installer automatically: 1. Detects your OS and architecture 2. Downloads the correct pre-built binary 3. Writes `/etc/litesoc/config.yaml` 4. Stores your API key securely in `/etc/litesoc/agent.env` (mode `0600`) 5. Installs and enables a `systemd` service That's it. Events start flowing within seconds. ## 🔍 What It Detects The agent parses OpenSSH log entries and emits three event types that map directly to LiteSOC's standard event taxonomy: | Event | Trigger | |---|---| | `auth.login_failed` | Failed SSH login attempt | | `auth.login_success` | Successful SSH authentication | | `auth.logout` | SSH session disconnected | Every event includes rich metadata **username**, **client IP** (IPv4 and IPv6), **SSH port**, and **authentication method** giving LiteSOC's Behavioral AI the full context it needs to detect impossible travel, geo-anomalies, and brute-force patterns across your infrastructure. ## 💓 Heartbeat Monitoring The agent pings LiteSOC every 60 seconds with its hostname, IP address, version, and recent activity. If an agent goes silent maybe the server crashed, or someone killed the process your dashboard flags it immediately. No more "we didn't realize the server was down for 6 hours." ## 🔄 Built for Production We designed the agent for environments where reliability is non-negotiable: - **Log-rotation aware**: Handles `logrotate` via inotify/kqueue `ReOpen`. Zero missed events after rotation. - **Systemd integration**: Ships with a service unit that auto-restarts on failure. - **Multi-architecture**: Pre-built binaries for `linux/amd64`, `linux/arm64`, `linux/arm`, `darwin/amd64`, and `darwin/arm64`. - **100% test coverage**: Every function tested, race-condition verified. ## 🛡️ Security by Design Your API key is **never** stored in the config file. It lives exclusively in `/etc/litesoc/agent.env` with `0600` permissions, read only by the agent process via the `LITESOC_KEY` environment variable. The config itself is minimal and transparent: ```yaml # /etc/litesoc/config.yaml api_endpoint: https://api.litesoc.io heartbeat_interval: 60 log_watchers: - path: /var/log/auth.log type: sshd ``` The agent supports all major Linux distributions out of the box: | Distribution | Log Path | |---|---| | Debian / Ubuntu | `/var/log/auth.log` | | RHEL / CentOS / Fedora / Amazon Linux | `/var/log/secure` | | Alpine | `/var/log/messages` | ## The Full Picture With the server agent, LiteSOC now monitors security across your **entire stack**: - **Application layer**: SDK events from your Next.js, Node, Python, or PHP backend - **Auth provider layer**: Native integrations with Supabase, Auth0, and n8n - **Infrastructure layer**: Real-time SSH monitoring via `litesoc-agent` All events feed into the same Behavioral AI engine. An `auth.login_success` from your app and an `auth.login_success` from SSH are correlated together giving you a unified forensic timeline across every surface. ## Get Started Install the agent on your first server in under 30 seconds: ```bash curl -sSL https://litesoc.io/install.sh | LITESOC_KEY=lsoc_live_xxx bash ``` Then check your [LiteSOC dashboard](https://app.litesoc.io) you'll see events streaming in real-time. The agent is fully open-source. Browse the code, file issues, or contribute on [GitHub](https://github.com/litesoc/litesoc-agent). [**Read the full docs →**](https://litesoc.io/docs/integrations/agent) --- ## Security Monitoring for Small Businesses: Enterprise Protection Without the Enterprise Price Tag - **URL:** https://blog.litesoc.io/security-monitoring-for-small-businesses-enterprise-protection-without-the-enterprise-price-tag - **Published:** 2026-04-09 - **Author:** Amirol Ahmad > Small businesses are the #1 target for cyberattacks yet most don't have the tools to detect a breach until it's too late. Here's how to fix that without hiring a security team Here's a statistic that should keep every small business owner up at night: **43% of all cyberattacks now target small businesses.** Yet only 14% of those businesses consider themselves "highly prepared" to defend against one. That gap is where attackers live. If you run a small or medium-sized business, chances are you're thinking: *"We're too small. Nobody is going to come after us."* That's exactly what they're counting on. ## Why Small Businesses Are the #1 Target in 2026 Hackers aren't just going after Fortune 500 companies anymore. In fact, large enterprises are increasingly *harder* to breach, they have dedicated security teams, enterprise firewalls, threat detection software, and incident response plans. Small businesses? Far softer targets: - **No dedicated security team**: One IT generalist (if you're lucky) wearing twelve hats - **Outdated software**: Security patches get delayed when there's no one whose job it is to apply them - **Weaker vendor security**: SMBs often share supply chains with larger companies, making them a side door into bigger targets - **Valuable data anyway**: Customer credit cards, employee SSNs, healthcare records, client contracts, small businesses hold real data worth stealing The average cost of a data breach for an SMB is now **$3.31 million**. Most small businesses never recover. In fact, **60% close within six months** of a significant cyberattack. You don't need to be Amazon to have something worth protecting. ## The Three Things That Happen Before You Know You've Been Breached Most breaches aren't discovered immediately. On average, it takes **207 days** to identify a breach, and another 73 days to contain it. That's nearly 9 months of an attacker sitting quietly inside your systems. What happens during that time? Three things: ### 1. Credential Stuffing An attacker takes a list of leaked usernames and passwords (there are billions available on the dark web) and systematically tries them against your login page. When one works, they're in silently. No alarms. No alerts. Just a quiet login from an IP address in a country you've never done business in. ### 2. Privilege Escalation Once inside, they don't act immediately. They explore. They find a low-privilege account, then look for misconfigured permissions or unpatched systems to elevate their access. Eventually they reach your customer database, your financial records, or your admin panel. ### 3. Exfiltration Quietly, over days or weeks, they copy data out. Small batches. Nothing that would trigger a firewall alarm. By the time you notice your customer list showed up on a dark web forum, they've been gone for months. The scary part? Without security monitoring, you wouldn't notice any of these three steps happening. ## What "Security Monitoring" Actually Means for an SMB Forget the buzzwords for a moment. At its core, security monitoring means one thing: **knowing what's happening inside your software in real time.** Every time someone logs into your app, that's an event. Every time an admin changes a permission, that's an event. Every time someone exports a file, downloads a report, or resets a password those are all events. Security monitoring means capturing those events and alerting you when something looks wrong. For an SMB, that boils down to three practical capabilities: **1. Know who is logging in and from where** Is that your employee in Chicago, or someone using their stolen credentials logging in from Bucharest? **2. Know when something changes that shouldn't** Did an employee just grant themselves admin access at 11 PM on a Friday? **3. Know when data is leaving your systems** Did someone just bulk-export your entire customer list? If you can answer those three questions in real time, you're ahead of 90% of small businesses and you've eliminated the three-step attack pattern described above. ## The Tools SMBs Used to Have to Choose From (And Why They All Sucked) Until recently, an SMB owner looking for security monitoring had two options: ### Option A: Enterprise SIEM Tools like Splunk, IBM QRadar, or Microsoft Sentinel. Powerful, feature-rich, and designed for companies with 10-person security teams and $500,000 budgets. Typical cost: **$50,000–$200,000/year** plus implementation fees. Requires dedicated engineering resources just to keep it running. Not an option for a 20-person business. ### Option B: Nothing Most SMBs end up here. They rely on occasional manual log reviews (if anyone gets around to it), antivirus software that only catches known malware, and hope. Hope is not a security strategy. ## A Third Option: Purpose-Built for Businesses Like Yours This is where **LiteSOC** changes the equation. LiteSOC was built from the ground up for companies that need real security monitoring but can't justify a six-figure SIEM or a dedicated security team. It gives you the detection capabilities of an enterprise SOC (Security Operations Center) in a package you can integrate in under 10 minutes. Here's what that looks like in practice: ### Real-Time Event Monitoring Every login, permission change, data export, password reset, and admin action in your app is captured and structured automatically. You get a real-time feed of what's happening, not a log file that nobody reads. ### Intelligent Alerts, Not Noise LiteSOC's behavioral engine builds a baseline of what normal looks like for your business. When something deviates a login from a new country, an unusual number of failed attempts, a bulk data export at 3 AM, you get an alert. Not a thousand false positives. A real signal. ### Impossible Travel Detection If your employee's account logs in from New York at 9 AM and then logs in from Singapore at 11 AM, that's physically impossible. LiteSOC catches this automatically using Haversine-based geospatial math and flags it as a high-severity alert immediately. This is the kind of detection that used to require enterprise AI platforms. ### Automatic Compliance Audit Trails If your business handles customer data and virtually every SMB does you likely have compliance obligations you may not even be fully aware of: PCI DSS if you take payments, HIPAA if you're in healthcare, state-level privacy laws if you serve customers in California or other regulated states. LiteSOC automatically logs every admin action, every data access event, and every security-relevant change with timestamps, user IDs, and IP addresses. When an auditor asks "who accessed that customer record on March 3rd?", you have a precise answer in seconds. ### No Security Team Required You don't need to hire a CISO or a SOC analyst. LiteSOC does the monitoring for you and surfaces only the alerts that require human attention. An office manager can triage most alerts. The serious ones escalate with full context so you (or an outside consultant) can act decisively. ## A Real-World Scenario: The Breach You Would Have Missed Let's make this concrete. **Sarah runs a 15-person accounting firm.** Her team uses a web-based client portal where customers upload financial documents. Without security monitoring, here's what a breach looks like: 1. An attacker finds a leaked password from a data breach two years ago. Sarah's employee "reused" the same password. 2. The attacker logs into the portal from a VPN-masked IP address. No one notices. 3. Over three weeks, they slowly download client financial records a few files at a time. 4. Three months later, Sarah's clients start getting targeted phishing emails using details only found in those documents. 5. Sarah spends six months investigating, notifying clients, and managing regulatory fallout. The total cost: $400,000 and her firm's reputation. **With LiteSOC:** 1. The login from an unfamiliar location triggers an alert within seconds. 2. The account is flagged for review before any data is accessed. 3. The breach is contained. Sarah gets an email notification. She resets the password. Done. The entire incident is a 10-minute inconvenience rather than a business-ending crisis. ## Getting Started: What to Monitor First If you're new to security monitoring, start with the highest-risk events. LiteSOC supports 26 standard security event types out of the box. For an SMB, focus on these five first: | Event | Why It Matters | |---|---| | `auth.login_success` | Track every login, especially from new locations | | `auth.login_failure` | Repeated failures signal a brute-force attempt | | `admin.role_change` | Privilege escalation is a key attacker technique | | `data.export` | Bulk exports at unusual hours often mean exfiltration | | `auth.password_reset` | Mass resets can indicate account takeover activity | These five event types cover the most common attack patterns against SMBs. Once LiteSOC is ingesting these events, the behavioral engine starts building your baseline immediately. ## How Much Does It Actually Cost? This is the part where most security products disappoint: the pricing page. LiteSOC is priced for real businesses, not enterprise procurement departments. There's a free tier to get you started, and paid plans scale based on your event volume not a flat fee that assumes you have a CFO with budget authority. For most SMBs, the annual cost of LiteSOC is **less than a single hour of incident response consulting** after a breach. The math isn't complicated. ## The Three Steps to Getting Protected Today You don't need to boil the ocean. Here's the practical 3-step path: **Step 1: Instrument your app (10 minutes)** Add the LiteSOC SDK to your application using Node.js, Python, or PHP. For the most common web frameworks, it's one function call per event type. ```javascript import { LiteSOC } from '@litesoc/node'; const client = new LiteSOC({ apiKey: process.env.LITESOC_API_KEY }); // When a user logs in await client.track({ eventName: 'auth.login_success', userId: user.id, metadata: { ip_address: req.ip, user_agent: req.headers['user-agent'], } }); ``` **Step 2: Set up your alert rules (15 minutes)** LiteSOC ships with sensible default alert rules for all 26 standard events. Review and adjust thresholds for your specific business, for example, if your team is globally distributed, you may want to tune the impossible travel detection sensitivity. **Step 3: Connect your notification channels (5 minutes)** Connect Slack, email, or PagerDuty so alerts reach the right person immediately. For most SMBs, a dedicated Slack channel is all you need. That's it. **Thirty minutes from zero to monitored.** --- ## You Don't Have to Be a Target Here's the honest truth: small businesses will continue to be attacked. The threat isn't going away. But being attacked doesn't mean being breached and being breached doesn't mean being destroyed. The difference is visibility. Knowing what's happening in your systems in real time, being alerted when something looks wrong, and having the audit trail to understand what happened after the fact. You don't need a security team. You don't need a $100,000 SIEM contract. You need the right tool. **LiteSOC gives small businesses the same detection capabilities that enterprises pay millions for packaged for a team of five, priced for a team of five, and simple enough that you don't need a security background to use it.** Because your business deserves to survive. --- *Ready to see what LiteSOC can do for your business? [Start for free at litesoc.io](https://litesoc.io) no credit card required, up and running in under 30 minutes.* --- ## Detecting Data Exfiltration Patterns in SaaS Applications - **URL:** https://blog.litesoc.io/detecting-data-exfiltration-patterns-in-saas-applications - **Published:** 2026-04-07 - **Author:** Amirol Ahmad > Learn how to identify data exfiltration before it becomes a breach. Covers bulk-download signals, after-hours anomalies, and how LiteSOC's data.* events give you real-time visibility Data exfiltration is the silent killer of SaaS companies. Unlike a brute-force attack which announces itself in your logs exfiltration often looks like normal user behavior until it's too late. A disgruntled employee exporting every customer record before resigning. An attacker using a stolen session to systematically drain your database. A third-party integration quietly syncing far more data than it should. The bad news: most SaaS apps have no idea it's happening. The good news: the signals are there if you know what to look for. ## What is Data Exfiltration? Data exfiltration is the unauthorized transfer of data from your system. It comes in two forms: - **Insider threat**: A legitimate user (employee, contractor, partner) abusing their access to copy, download, or transmit data they shouldn't. - **External attacker**: A threat actor who has gained access via stolen credentials, session hijacking, or API key compromise and is systematically extracting data. Both leave a trail. Your job is to instrument your application to capture it. ## The Four Exfiltration Signals ### 1. Bulk Data Downloads A user who downloads 10 records a day suddenly exports 50,000 in a single session. This is the clearest exfiltration signal, and it's shockingly easy to miss if you're not tracking download volumes per user. Track this with a `data.export` event every time a user triggers a bulk download or CSV export: ```typescript import { LiteSOC } from "@litesoc/node"; const client = new LiteSOC({ apiKey: process.env.LITESOC_API_KEY }); // Inside your export handler await client.track({ event_name: "data.export", user_id: session.userId, ip_address: req.ip, metadata: { record_count: exportedRows, export_format: "csv", table: "customers", filters_applied: !!query.filters, }, }); ``` LiteSOC's behavioral baseline will alert you when a single user's export volume spikes beyond their 30-day rolling average. ### 2. After-Hours Access Normal users access your application during business hours, within the timezone tied to their profile. When data access events cluster between 2 AM and 5 AM local time especially high-volume ones that is a strong exfiltration signal. This pairs with impossible travel detection. An account that logs in from London at 9 AM and then initiates a bulk export from Singapore at 2 AM is almost certainly compromised. ### 3. Rapid Sequential Record Access Rather than exporting a table in one shot, sophisticated attackers will paginate through your API to avoid triggering bulk-export alerts. The pattern: hundreds of `GET /api/records?page=N` requests in rapid succession from the same session. Track `data.read` events with a `batch_size` context field and set alerts when a session reads more than your baseline threshold in a short window: ```typescript await client.track({ event_name: "data.read", user_id: session.userId, ip_address: req.ip, metadata: { resource: "invoices", record_count: results.length, page: query.page, is_programmatic: isAPIKeyRequest, }, }); ``` ### 4. Scope Creep in API Keys API keys are often the exfiltration vector that goes completely undetected. A key provisioned for a narrow purpose (e.g., webhook verification) starts being used to read sensitive resources. Track `data.read` events by API key, not just by user, and alert when a key accesses resources outside its historical pattern. ## Building a Detection Baseline Point-in-time anomaly detection produces too many false positives. A CFO running end-of-quarter exports will trigger every threshold-based rule you write. The solution is **behavioral baselines**. LiteSOC builds a 30-day rolling baseline per user per event type. Rather than alerting on "user exported more than 1,000 records," it alerts on "user exported 10× their typical volume." This eliminates noise while catching genuine outliers. For your own application-level logic, you can query the LiteSOC Management API to retrieve a user's recent `data.export` activity and compare it in real time: ```typescript // Check if current export is anomalous before allowing it const recentExports = await fetch( `https://api.litesoc.io/events?event_name=data.export&user_id=${userId}&limit=30`, { headers: { "X-API-Key": process.env.LITESOC_API_KEY } } ); const { data: events } = await recentExports.json(); const avgRecordCount = events.reduce((sum: number, e: any) => sum + (e.metadata?.record_count ?? 0), 0) / (events.length || 1); if (requestedCount > avgRecordCount * 5) { // Require step-up authentication or manager approval return res.status(403).json({ error: "Export volume exceeds your baseline. Step-up auth required." }); } ``` ## The Data Event Taxonomy LiteSOC provides four purpose-built events for data activity. Use all of them. | Event | When to Fire | Key Metadata | |---|---|---| | `data.read` | Any sensitive record fetch | `resource`, `record_count`, `is_programmatic` | | `data.export` | CSV/JSON/bulk download triggered | `record_count`, `export_format`, `table` | | `data.delete` | Record or batch deletion | `record_count`, `resource`, `is_bulk` | | `data.share` | Link sharing, permission grant, external access | `recipient`, `permission_level`, `resource_id` | Don't conflate these. Keeping them separate lets you build precise alert rules e.g., "alert on `data.export` > 10,000 records" without being drowned out by routine `data.read` events. ## What to Do When You Detect It Detection without a response plan is theater. When LiteSOC fires a data exfiltration alert, your runbook should: 1. **Immediately invalidate the session** (or API key) that triggered the alert. 2. **Freeze the account** pending review not delete, freeze. 3. **Snapshot the alert** with full forensic context (LiteSOC preserves IP, geolocation, and network intelligence for this exact purpose). 4. **Notify your security contact** via your configured webhook or email channel. 5. **Preserve the audit trail** do not modify or delete the user's records until legal review is complete. LiteSOC's webhook payloads include the full event object and alert context, so an n8n or Zapier automation can handle steps 1–4 in under five seconds. ## Conclusion Data exfiltration is detectable, but only if you instrument your application to capture the signals. Start with `data.export` events today, it's a single line of code per export endpoint and layer in `data.read`, `data.delete`, and `data.share` as you go. With LiteSOC's behavioral baselines doing the heavy lifting, you'll know about exfiltration before your customers do. Ready to instrument your first data event? Check out the [LiteSOC Node SDK](/docs/sdks/node) or the [REST API reference](/docs/api). --- ## LiteSOC Is Now LLM-Friendly - **URL:** https://blog.litesoc.io/litesoc-is-now-llm-friendly - **Published:** 2026-04-02 - **Author:** Amirol Ahmad > Every public page on litesoc.io now has a raw Markdown route. Drop @https://litesoc.io/llms.txt into Cursor or Claude and generate your full security integration in seconds. If you use Cursor, Claude, GitHub Copilot, or any AI-assisted editor to write code, today's update is for you. LiteSOC now ships a complete **LLM context layer** — a set of routes that expose every page of the platform as clean, crawlable Markdown. One URL gives your AI editor the full picture of our API, events, plans, and integrations so it can generate a working integration without you writing a single prompt. ## The Problem With AI + Documentation When you ask an AI editor to "add LiteSOC security tracking to my login route", it usually does one of three things: 1. Hallucinates an API that doesn't exist 2. Uses a months-old snapshot of our docs from its training data 3. Asks you to paste in the relevant docs manually None of these are good. The root cause is that most documentation sites render their content inside JavaScript-heavy SPAs that AI agents can't read. The raw text is buried inside React component state, tab panels, and dynamic query results. We've fixed that. ## What We Built ### `/llms.txt` — The Index Following the [llmstxt.org](https://llmstxt.org) proposal, `https://litesoc.io/llms.txt` is a plain-text file that gives AI agents a structured map of everything on the site: ``` # LiteSOC > LiteSOC is a lightweight Security Observability SaaS for startups... ## Documentation - [API Reference](https://litesoc.io/docs/api.md): Complete API reference — 26 standard events... - [Integrations](https://litesoc.io/docs/integrations.md): Supabase, Auth0, n8n... ... ## SDKs - [Node.js](https://github.com/LiteSOC/litesoc-node) - [Python](https://github.com/LiteSOC/litesoc-python) - [PHP](https://github.com/LiteSOC/litesoc-php) ``` This is the entry point. Every page has a corresponding `.md` URL. ### 10 Markdown Routes | Page | Markdown URL | |---|---| | Pricing | `https://litesoc.io/pricing.md` | | Features | `https://litesoc.io/features.md` | | API Reference | `https://litesoc.io/docs/api.md` | | Integrations | `https://litesoc.io/docs/integrations.md` | | How It Works | `https://litesoc.io/how-it-works.md` | | Security & Compliance | `https://litesoc.io/security.md` | | Help Center | `https://litesoc.io/help.md` | | Docs Overview | `https://litesoc.io/docs.md` | | Changelog | `https://litesoc.io/changelog.md` | | About | `https://litesoc.io/about.md` | Every route returns `Content-Type: text/markdown` and is pre-rendered at build time (`force-static`) — zero latency, CDN-cached, always in sync with the UI because they share the same data modules. ### `/llms-full.txt` — Everything in One Shot For agents that want the complete context in a single request, `https://litesoc.io/llms-full.txt` returns one giant Markdown document containing: - All product pages (About, Features, Pricing, Security, Changelog, How It Works) - The full API reference with all 26 standard events, endpoints, rate limits, and response headers - Every help center article — including the complete body text of all 17 articles across 7 categories - All published blog posts, fetched live from the database The document is rebuilt at most once per hour via ISR and served stale-while-revalidating at the CDN edge, so it's fast without ever going stale for long. ## How to Use It ### Cursor Add this to your cursor rules, or just type it in the composer: ``` @https://litesoc.io/llms.txt ``` Cursor will fetch the index and automatically pull the relevant `.md` pages based on your question. Ask it to add a login tracker to your Express app and it'll read `docs/api.md`, understand the `auth.login_success` and `auth.login_failed` events, and write the correct code. ### Claude Paste the URL into any Claude conversation: ``` @https://litesoc.io/llms.txt Add LiteSOC security tracking to my Next.js app. I use Supabase Auth. ``` Claude will fetch the index, discover the integrations page, and generate a complete implementation including the Supabase webhook handler. ### For Full Context (Claude Projects, Cursor Rules) Use `llms-full.txt` when you want to load everything upfront — ideal for a Claude Project or a persistent Cursor rules file: ``` @https://litesoc.io/llms-full.txt ``` ## It's Always In Sync The Markdown routes don't have a separate content pipeline to maintain. They're powered by the exact same data modules that render the UI: - `lib/pricing-data.ts` → used by `/pricing` (UI) **and** `/pricing.md` (LLM) - `lib/features-data.ts` → used by `/features` (UI) **and** `/features.md` (LLM) - `lib/changelog-data.ts` → used by `/changelog` (UI) **and** `/changelog.md` (LLM) When we update pricing or add a new event type, the Markdown routes update automatically at the next build. No docs lag. ## Try It Now Paste this into your AI editor of choice: ``` @https://litesoc.io/llms.txt ``` Then ask it to add security event tracking to your app. Let us know how it goes — we're [@mylitesoc](https://x.com/mylitesoc) on X. --- ## How MSSPs and LiteSOC Work Better Together - **URL:** https://blog.litesoc.io/how-mssps-and-litesoc-work-better-together - **Published:** 2026-03-31 - **Author:** Amirol Ahmad > Managed Security Service Providers can deliver faster onboarding, stronger audit trails, and scalable multi-tenant forensics for their clients by integrating LiteSOC's API-first platform. Running a Managed Security Service Provider (MSSP) is a balancing act. You're expected to deliver enterprise-grade protection to dozens sometimes hundreds of clients, each with their own stack, compliance requirements, and risk appetite. And you're expected to do it without a team of 200 analysts. That's the exact problem LiteSOC was designed to solve. This post breaks down how MSSPs can use LiteSOC's multi-tenant infrastructure, Management API, and behavioral detection engine to scale their security services without scaling their headcount. --- ## The MSSP Problem Nobody Talks About Most security tooling is designed for a single organization. One dashboard. One database. One set of alerts. That's fine if you're an in-house security team. But if you're an MSSP managing 30 clients, "one tenant = one tool instance" is a nightmare: - **Deployment overhead:** Standing up a new instance for each client takes days, not minutes. - **Context switching:** Your analysts jump between portals all day. Fatigue is a real attack surface. - **Inconsistent controls:** Each client ends up with a slightly different configuration. Drift compounds over time. - **Billing complexity:** You're paying per-seat or per-instance pricing that doesn't align with how you actually deliver services. LiteSOC solves this with a **Master Dashboard** — a single Super-Admin view where you manage all client organizations from one place. --- ## The Master Dashboard: One Pane, All Clients When you join LiteSOC as an MSSP partner, your account gets elevated to a **Super-Admin role**. This unlocks: - **Organization switching** with one click — no re-authentication, no shared passwords. - **Cross-tenant alert feeds** — see all critical alerts across all clients in a single inbox, prioritized by severity. - **Unified audit trail** — every action your analyst takes is logged with the client context attached, giving you a clean chain of custody. - **Wholesale billing** — you pay a flat rate, then charge clients whatever margin suits your service tier. Here's what a typical analyst workflow looks like with LiteSOC: ``` Super-Admin View ├── Client: Acme Corp (12 alerts, 2 critical) │ ├── auth.login_failure × 47 (Geo-Anomaly: Nigeria → NYC) │ └── authz.privilege_escalation × 1 (severity: critical) ├── Client: Fintech Startup (0 alerts) └── Client: SaaS Co (4 alerts, 1 high) └── data.bulk_export × 1 (severity: high) ``` No additional tooling. No manual log aggregation. Just actionable context. --- ## Integration in Under 2 Minutes Your clients don't need to overhaul their stack. LiteSOC's ingestion API accepts a clean JSON payload from any language: ```bash curl -X POST https://api.litesoc.io/collect \ -H "X-API-Key: lsoc_live_your_client_key" \ -H "Content-Type: application/json" \ -d '{ "event_name": "auth.login_failure", "user_id": "usr_abc123", "ip_address": "203.0.113.42", "metadata": { "reason": "invalid_password", "attempt_count": 5 } }' ``` That's it. LiteSOC handles: - **Severity assignment** server-side (clients can't manipulate it) - **GeoIP enrichment** — country, city, ISP, VPN/Tor detection - **Behavioral baseline** — 30-day rolling baseline for Impossible Travel and Geo-Anomaly detection - **SOC 2 audit trail** — immutable, retention-gated event log Your clients get enterprise-grade forensics. You get the credit. --- ## The 26 Standard Events: A Shared Language One of the biggest friction points in MSSP work is normalizing log formats across different client stacks. Every vendor has their own field names, event types, and severity scales. LiteSOC solves this with **26 Standard Events** — a fixed taxonomy that covers the most critical security signals across auth, admin, data, security, and authorization domains: | Namespace | Example Events | |-----------|----------------| | `auth.*` | `auth.login_success`, `auth.login_failure`, `auth.mfa_bypassed` | | `admin.*` | `admin.role_changed`, `admin.user_deleted`, `admin.config_modified` | | `data.*` | `data.bulk_export`, `data.record_deleted`, `data.pii_access` | | `security.*` | `security.api_key_rotated`, `security.anomaly_detected` | | `authz.*` | `authz.privilege_escalation`, `authz.unauthorized_access` | When your team reviews alerts, every client uses the same vocabulary. Onboarding new analysts is faster. Runbooks are reusable. Compliance mapping is consistent. --- ## Behavioral AI: Catch What Rules Miss Signature-based detection has a ceiling. A sophisticated attacker who moves slowly and avoids known bad IPs will fly under most rule-based systems. LiteSOC's behavioral detection layer adds two capabilities that matter for MSSPs: ### Impossible Travel LiteSOC uses the **Haversine formula** to calculate the real-world distance between two login events and their timestamps. If a user logs in from London at 09:00 UTC and from Tokyo at 09:45 UTC, that's physically impossible. An alert fires automatically — no rule to write, no threshold to tune. ``` ⚠️ IMPOSSIBLE TRAVEL DETECTED User: jane.doe@acmecorp.com Event 1: auth.login_success — London, UK (09:00 UTC) Event 2: auth.login_success — Tokyo, JP (09:43 UTC) Distance: 9,560 km | Time: 43 min | Required speed: 13,337 km/h Severity: CRITICAL ``` ### Geo-Anomaly Detection LiteSOC builds a 30-day baseline of each user's typical login geography. A login from a new country — even if the velocity is plausible — triggers a `security.anomaly_detected` event with the anomaly context attached. This gives your analysts a starting point for investigation without drowning them in false positives. --- ## Automated SOC 2 Audit Trails If you're positioning your MSSP as a compliance enabler (and you should be), LiteSOC gives you a significant differentiator: **automated, client-ready SOC 2 audit trails**. Every event in LiteSOC is: - **Immutable** — logged server-side, no client-side tampering possible - **Retention-gated** — retained for 30 days (Free), 1 year (Pro), or 3 years (Enterprise) - **Exportable** — via the Management API, filterable by date range, event type, or severity When audit season arrives, your clients don't scramble for logs. You pull a clean, structured export via the API: ```bash GET https://api.litesoc.io/events?project_id=proj_abc&from=2026-01-01&to=2026-04-01 X-API-Key: lsoc_live_your_key ``` The response includes `X-LiteSOC-Plan`, `X-LiteSOC-Retention`, and `X-LiteSOC-Cutoff` headers — so you always know exactly what data window you're working with. --- ## Orchestration with n8n: Automate Your Response Playbooks LiteSOC has a native n8n integration, which means you can build automated response workflows without writing a line of code: - **Trigger:** `authz.privilege_escalation` (severity: critical) - **Action 1:** Post to Slack `#security-alerts` channel - **Action 2:** Open a JIRA ticket with the alert context - **Action 3:** Send an email to the affected user's manager For MSSPs, this means you can pre-build response playbooks and deploy them across all clients. One workflow. Universal coverage. --- ## MSSP Partner Program LiteSOC offers a dedicated MSSP partner tier with: - **Master Dashboard access** — multi-org management from a single account - **Wholesale pricing** — flat-rate licensing, margin is yours to set - **Priority support** — dedicated Slack channel and SLA - **Co-marketing** — joint case studies, referral program, and marketplace listing If you're running a security agency and want to deliver faster, more consistent protection to your clients — without the per-instance overhead — [apply to the LiteSOC Partner Program](/partners). --- ## Getting Started 1. **Apply** at [litesoc.io/partners](/partners) — select "MSSP" as your partner type 2. **Get provisioned** — your account gets Super-Admin access within 1 business day 3. **Add your first client** — create an organization, grab the API key, and drop the SDK into their stack 4. **Go live** — events start flowing in under 2 minutes Questions? Reach out at [sales@litesoc.io](mailto:sales@litesoc.io). --- ## Session Hijacking: Detection Patterns Every SaaS Engineer Should Know - **URL:** https://blog.litesoc.io/session-hijacking-detection-patterns-every-saas-engineer-should-know - **Published:** 2026-03-24 - **Author:** Amirol Ahmad > Session hijacking is invisible to most auth systems because attackers use valid tokens. Learn the behavioral patterns that expose stolen sessions — and how to build detection that catches them in real time. A stolen password is easy to detect — the login attempt fails, rate limiting kicks in, and the alert fires. A stolen session token is different. The attacker arrives with a valid credential. Your auth system sees a legitimate user. The session is active. Everything looks normal. Session hijacking is one of the hardest attack categories to detect precisely because it succeeds *silently*. By the time the real user notices something is wrong — a sent email they didn't write, a changed password, a deleted record — the attacker may have been inside for hours or days. This post breaks down the mechanics of session hijacking, the behavioral signals that betray a compromised session even when the token is valid, and how to build detection rules that catch these attacks before the damage is done. --- ## How Session Tokens Get Stolen Understanding the theft vector helps you understand the detection signal. ### Cross-Site Scripting (XSS) Malicious JavaScript injected into your application reads `document.cookie` or `localStorage` and exfiltrates the session token to an attacker-controlled server. This is the most common vector for web-based session theft and the reason `HttpOnly` cookies exist. **Protection baseline:** - Set `HttpOnly` and `Secure` flags on all session cookies - Implement a strict Content Security Policy (CSP) - Never store session tokens in `localStorage` — XSS can always access it ### Network Interception (Man-in-the-Middle) On unencrypted Wi-Fi networks, an attacker intercepts HTTP traffic and captures session cookies in transit. Rare with modern HTTPS enforcement, but still occurs on misconfigured legacy endpoints or when HSTS is not properly set. ### Malware & Browser Extension Compromise Infostealer malware (Raccoon, RedLine, Vidar) extracts session cookies directly from browser storage — bypassing `HttpOnly` entirely because it operates at the OS level, not the browser JavaScript level. This is now the dominant session theft vector, fueling a growing market for "stealer logs" on darknet forums. ### Session Fixation An attacker sets a session token *before* the user authenticates, then waits for the user to log in with that known token. Prevented by regenerating the session ID on authentication. ### Server-Side Session Store Compromise If your session store (Redis, database) is exposed or misconfigured, an attacker can enumerate or forge valid session tokens directly. --- ## The 5 Behavioral Signals of a Hijacked Session ### Signal 1: Geographic Displacement The most reliable indicator. A session that was active in Chicago, Illinois begins making requests from Frankfurt, Germany minutes later — with no flight time that would make this physically possible. This is LiteSOC's impossible travel detection applied to *sessions*, not just login events. The key insight is that you should be checking *every authenticated request* for geographic anomalies, not just logins. ```typescript // On every authenticated API request const lastKnownLocation = await redis.get(`session:location:${sessionId}`); const currentLocation = await resolveGeoIP(ipAddress); if (lastKnownLocation && currentLocation) { const distance = haversineDistance(lastKnownLocation, currentLocation); const timeDelta = Date.now() - lastKnownLocation.timestamp; const impliedSpeed = distance / (timeDelta / 3_600_000); // km/h if (impliedSpeed > 900) { // Faster than commercial flight await litesoc.track({ event_name: "security.session_anomaly_detected", actor_id: session.userId, metadata: { anomaly_type: "geographic_displacement", previous_location: lastKnownLocation.city, current_location: currentLocation.city, distance_km: Math.round(distance), time_delta_minutes: Math.round(timeDelta / 60_000), implied_speed_kmh: Math.round(impliedSpeed), session_id: sessionId, }, }); } } // Update location await redis.setex( `session:location:${sessionId}`, 86400, JSON.stringify({ ...currentLocation, timestamp: Date.now() }) ); ``` --- ### Signal 2: User-Agent Switch Mid-Session A legitimate user doesn't change their browser or operating system in the middle of an authenticated session. If the User-Agent header changes between requests on the same session token, either the token was stolen and replayed from a different device, or something unusual happened. ```typescript const storedUA = await redis.get(`session:ua:${sessionId}`); const currentUA = req.headers.get("user-agent") ?? ""; if (storedUA && storedUA !== currentUA) { await litesoc.track({ event_name: "security.session_anomaly_detected", actor_id: session.userId, metadata: { anomaly_type: "user_agent_mismatch", original_user_agent: storedUA, current_user_agent: currentUA, session_id: sessionId, }, }); // Force re-authentication await invalidateSession(sessionId); return new NextResponse("Session invalidated — please log in again", { status: 401 }); } if (!storedUA) { await redis.setex(`session:ua:${sessionId}`, 86400, currentUA); } ``` --- ### Signal 3: Concurrent Sessions from Incompatible Locations Unlike geographic displacement (one session moving too fast), concurrent session anomalies involve *two simultaneous sessions* that couldn't both belong to the same user — same session token making requests from two different countries at the same time. ```typescript const activeRequests = await redis.smembers(`session:active_ips:${sessionId}`); const currentIP = req.headers.get("x-forwarded-for")?.split(",")[0].trim() ?? ""; if (activeRequests.length > 0 && !activeRequests.includes(currentIP)) { const ipCountry = await getCountry(currentIP); const existingCountries = await Promise.all(activeRequests.map(getCountry)); const hasConflict = existingCountries.some((c) => c !== ipCountry); if (hasConflict) { await litesoc.track({ event_name: "security.session_anomaly_detected", actor_id: session.userId, metadata: { anomaly_type: "concurrent_session_conflict", session_id: sessionId, conflicting_countries: [ipCountry, ...existingCountries], }, }); } } // Track this IP as active for the session (30-second window) await redis.sadd(`session:active_ips:${sessionId}`, currentIP); await redis.expire(`session:active_ips:${sessionId}`, 30); ``` --- ### Signal 4: Privilege-Seeking Behavior Post-Compromise Once an attacker has a valid session, they typically probe for high-value resources immediately — trying to access admin panels, API key management, billing settings, or user lists before the victim notices and revokes access. This "smash and grab" pattern creates a distinctive sequence of events: a session that was previously doing routine work suddenly hits a burst of sensitive endpoints in rapid succession. ```typescript const sensitiveEndpoints = new Set([ "/api/org/api-keys", "/api/org/members", "/api/billing", "/api/org/settings", "/api/admin", ]); if (sensitiveEndpoints.has(req.nextUrl.pathname)) { const key = `session:sensitive_hits:${sessionId}`; const count = await redis.incr(key); if (count === 1) await redis.expire(key, 300); // 5-minute window if (count > 5) { await litesoc.track({ event_name: "security.session_anomaly_detected", actor_id: session.userId, metadata: { anomaly_type: "privilege_seeking_pattern", sensitive_endpoint_hits: count, window_seconds: 300, session_id: sessionId, current_endpoint: req.nextUrl.pathname, }, }); } } ``` --- ### Signal 5: Activity During Extended Inactivity Stealer malware often extracts session cookies from browser storage after the user has closed their browser and gone to sleep. The attacker then replays the cookie hours or days later. The telltale sign: a session that was last active at 6:00 PM on a Tuesday evening suddenly resumes at 3:00 AM — from a different country, operating at machine speed. ```typescript const lastActivity = await redis.get(`session:last_active:${sessionId}`); const now = Date.now(); if (lastActivity) { const gapHours = (now - parseInt(lastActivity)) / 3_600_000; if (gapHours > 8) { // Session resumes after 8+ hours of inactivity const currentLocation = await resolveGeoIP(ipAddress); const previousLocation = await redis.get(`session:location:${sessionId}`); const locationChanged = previousLocation && JSON.parse(previousLocation).country !== currentLocation.country; if (locationChanged) { await litesoc.track({ event_name: "security.session_anomaly_detected", actor_id: session.userId, metadata: { anomaly_type: "stale_session_replay", inactive_hours: Math.round(gapHours), previous_country: JSON.parse(previousLocation!).country, current_country: currentLocation.country, session_id: sessionId, }, }); } } } await redis.setex(`session:last_active:${sessionId}`, 86400, String(now)); ``` --- ## Putting It Together: A Session Defense Middleware Here's a consolidated middleware that applies all five detection signals in a single pass: ```typescript // middleware/session-guard.ts import { NextRequest, NextResponse } from "next/server"; import { litesoc } from "@/lib/litesoc"; import { redis } from "@/lib/redis"; import { resolveGeoIP, haversineDistance } from "@/lib/geo"; export async function sessionGuard(req: NextRequest, sessionId: string, userId: string) { const ipAddress = req.headers.get("x-forwarded-for")?.split(",")[0].trim() ?? ""; const userAgent = req.headers.get("user-agent") ?? ""; const now = Date.now(); const [storedUA, lastLocation, lastActive] = await Promise.all([ redis.get(`session:ua:${sessionId}`), redis.get(`session:location:${sessionId}`), redis.get(`session:last_active:${sessionId}`), ]); const currentLocation = await resolveGeoIP(ipAddress); const anomalies: string[] = []; // Signal 2: User-Agent mismatch if (storedUA && storedUA !== userAgent) { anomalies.push("user_agent_mismatch"); } // Signal 1 & 5: Geographic displacement or stale replay if (lastLocation) { const prev = JSON.parse(lastLocation); const distance = haversineDistance(prev, currentLocation); const timeDelta = now - prev.timestamp; const impliedSpeed = distance / (timeDelta / 3_600_000); if (impliedSpeed > 900) anomalies.push("geographic_displacement"); if (lastActive) { const gapHours = (now - parseInt(lastActive)) / 3_600_000; if (gapHours > 8 && prev.country !== currentLocation.country) { anomalies.push("stale_session_replay"); } } } if (anomalies.length > 0) { await litesoc.track({ event_name: "security.session_anomaly_detected", actor_id: userId, metadata: { anomaly_types: anomalies, session_id: sessionId, ip_address: ipAddress, current_location: currentLocation.city, }, }); // For high-confidence signals, force re-auth immediately if (anomalies.includes("user_agent_mismatch") || anomalies.includes("geographic_displacement")) { await redis.del(`session:ua:${sessionId}`, `session:location:${sessionId}`, `session:last_active:${sessionId}`); return new NextResponse( JSON.stringify({ error: "Session invalidated due to security anomaly. Please log in again." }), { status: 401, headers: { "Content-Type": "application/json" } } ); } } // Update session context const pipeline = redis.pipeline(); if (!storedUA) pipeline.setex(`session:ua:${sessionId}`, 86400, userAgent); pipeline.setex(`session:location:${sessionId}`, 86400, JSON.stringify({ ...currentLocation, timestamp: now })); pipeline.setex(`session:last_active:${sessionId}`, 86400, String(now)); await pipeline.exec(); return null; // No anomaly detected, continue } ``` --- ## Alert Configuration in LiteSOC With session anomaly events flowing in, configure your LiteSOC alert rules: | Event | Anomaly Type | Recommended Action | |---|---|---| | `security.session_anomaly_detected` | `geographic_displacement` | Immediate session revocation + notify user | | `security.session_anomaly_detected` | `user_agent_mismatch` | Immediate session revocation + notify user | | `security.session_anomaly_detected` | `stale_session_replay` | Flag for review + step-up auth prompt | | `security.session_anomaly_detected` | `privilege_seeking_pattern` | Flag for review + rate limit session | | `security.session_anomaly_detected` | `concurrent_session_conflict` | Notify user + require confirmation | For `geographic_displacement` and `user_agent_mismatch` — two of the highest-confidence signals — LiteSOC can automatically trigger a webhook that calls your session invalidation API, killing the compromised session within seconds. --- ## The Limits of Token-Based Detection Everything above assumes you can detect anomalies *after* the token is presented. But there's a class of attack where detection is harder: **token theft from the server side**. If an attacker compromises your Redis session store directly (misconfigured ACLs, exposed port, SSRF chain), they can read valid session tokens without ever making an anomalous request. They can then replay those tokens from the same IP range as the original user, defeating all behavioral checks. **Defenses against server-side token theft:** 1. **Signed, stateless tokens (JWTs)** — if you can't read the session store, you can't steal tokens from it 2. **Token binding** — bind the token to the TLS channel or a device fingerprint so a stolen token is useless on a different connection 3. **Short-lived sessions** — reduce the value of stolen tokens with aggressive expiry (15-30 minute access tokens, refresh tokens with rotation) 4. **Audit your Redis ACLs** — log every `redis.get` on session key patterns and alert on unexpected access --- ## The Attacker's Perspective Your detection is only as good as the gaps you close. Here's what an attacker optimizing against behavioral detection would do: 1. **Delay replay** — wait until the victim's typical working hours to replay the session, making time-based anomalies harder to detect 2. **Use a VPN exit node near the victim's location** — defeats geographic detection if the attacker knows where the victim is 3. **Warm the session slowly** — don't hit sensitive endpoints immediately; browse normally for 10 minutes first to avoid privilege-seeking pattern detection The effective counter to all three: **multi-signal correlation**. A single anomaly can be explained away. Three simultaneous anomalies — slightly unusual location + minor user agent discrepancy + elevated sensitive endpoint access — create a composite risk score that's much harder to defeat. LiteSOC's alert engine correlates events across the same `actor_id` and `session_id` in real time, letting you build compound rules: "fire if any two of the five session anomaly types occur within the same session within 10 minutes." --- ## Session Security Checklist Before you go: - [ ] `HttpOnly` and `Secure` flags set on all session cookies - [ ] Session ID regenerated on every login (prevents fixation) - [ ] Active sessions stored in Redis with explicit TTLs - [ ] Geographic displacement checked on every request, not just login - [ ] User-Agent pinned to session at first request - [ ] `security.session_anomaly_detected` events flowing to LiteSOC - [ ] Alert rules configured for high-confidence signals (geographic, UA mismatch) - [ ] Automatic session invalidation webhook configured for Critical alerts - [ ] Redis session store ACLs audited and restricted Session hijacking succeeds when defenders treat authentication as a one-time event. **Authentication is continuous.** Every request is an opportunity to verify the session is still legitimate — and to kill it if it's not. **[Set up continuous session monitoring with LiteSOC — free for up to 10,000 events/month.](https://litesoc.io/signup)** --- ## Supply Chain Attacks: How to Detect Third-Party Compromise in Your SaaS Stack - **URL:** https://blog.litesoc.io/supply-chain-attacks-how-to-detect-third-party-compromise-in-your-saas-stack - **Published:** 2026-03-24 - **Author:** Amirol Ahmad > Supply chain attacks are now the #1 threat vector for SaaS companies. Learn how to identify compromised dependencies, rogue OAuth apps, and malicious integrations before they cause a breach. In December 2020, SolarWinds shipped a software update containing malicious code that backdoored 18,000 organizations — including multiple US federal agencies. The attackers didn't break in through the front door. They poisoned the supply chain. Six years later, supply chain attacks have become the dominant threat vector for SaaS companies. The 2025 CISA Threat Landscape Report identified third-party software and service compromise as the leading initial access technique — surpassing phishing for the first time. The reason is simple: attacking the supply chain is a force multiplier. Compromise one widely-used package or OAuth integration and you get access to thousands of downstream targets simultaneously. This post covers the specific attack patterns, the security events that reveal them, and how to build detection into your platform using LiteSOC. --- ## What "Supply Chain" Means for SaaS For a SaaS company, "supply chain" isn't just npm packages. It's every external component that executes code or handles data on your behalf: - **npm/PyPI/Composer packages** — third-party code running in your application - **OAuth integrations** — apps with delegated access to your users' accounts - **Webhooks & outgoing requests** — calls to external services that could be hijacked - **CI/CD pipelines** — build systems with access to secrets and production environments - **SaaS-to-SaaS connections** — Zapier, n8n, Slack, Salesforce integrations Each of these is a potential entry point. And unlike direct attacks, supply chain compromises are invisible to traditional perimeter security because the malicious code arrives pre-authenticated. --- ## The 4 Supply Chain Attack Patterns ### 1. Dependency Confusion & Typosquatting An attacker publishes a malicious package to npm with the same name as an internal package, or a name one character off from a popular library (`lodahs` instead of `lodash`). When a developer installs it — or when a scoped package lookup falls through to the public registry — the malicious code executes. **What malicious packages do:** - Exfiltrate environment variables (API keys, database URLs) at install time - Add backdoors that beacon out to attacker-controlled servers at runtime - Modify build outputs to inject scripts into your production bundle **Detection approach:** Log and alert whenever a new package version enters your production build: ```typescript // In your CI/CD pipeline post-install hook await litesoc.track({ event_name: "admin.configuration_changed", actor_id: "ci-system", actor_type: "service", metadata: { change_type: "dependency_added", package_name: pkg.name, package_version: pkg.version, registry: pkg.resolved, is_scoped: pkg.name.startsWith("@"), }, }); ``` **Alert rule:** Any package installed from an unexpected registry (e.g., public npm for a scoped `@yourcompany/` package) should immediately trigger a Critical alert and halt the build. --- ### 2. Rogue OAuth Application Authorization A user in your organization is tricked into authorizing a malicious OAuth application that requests broad scopes (`read:all`, `write:files`, `admin`) under a legitimate-sounding name like "Google Drive Sync Pro" or "Slack Productivity Tools." Once authorized, the rogue app has persistent API access that survives password resets and MFA changes — because it holds a valid OAuth token, not credentials. **This is exactly how hundreds of corporate Google Workspace and Microsoft 365 accounts are compromised every month.** **Log every OAuth authorization in your platform:** ```typescript await litesoc.track({ event_name: "auth.oauth_app_authorized", actor_id: session.userId, metadata: { app_name: oauthApp.name, app_client_id: oauthApp.clientId, scopes_granted: oauthApp.scopes, app_publisher: oauthApp.publisherDomain, is_verified_publisher: oauthApp.isVerified, }, }); ``` **Alert rule:** Any OAuth app granted `admin` or `write:*` scopes by more than 3 users within 24 hours → flag for review. Unverified publishers requesting sensitive scopes → always alert. **Log revocations too:** ```typescript await litesoc.track({ event_name: "auth.oauth_app_revoked", actor_id: session.userId, metadata: { app_client_id: revokedApp.clientId, revocation_reason: "user_initiated" | "admin_force" | "security_review", }, }); ``` --- ### 3. CI/CD Pipeline Poisoning Attackers target your build infrastructure — GitHub Actions workflows, CircleCI configs, Dockerfile base images — to intercept secrets or inject malicious code into production builds. Common vectors: - **Compromised GitHub Actions** — a trusted action (`actions/checkout@v3`) gets its SHA hijacked - **Malicious pull requests** — PRs from forks that modify CI config to exfiltrate `GITHUB_TOKEN` - **Poisoned base Docker images** — `node:18-alpine` pulled from Docker Hub contains unexpected layers **Detection: pin your Actions by commit SHA, not tag:** ```yaml # ❌ Vulnerable — tag can be moved to point to malicious code - uses: actions/checkout@v3 # ✅ Safe — immutable reference - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 ``` **Log every production deployment with artifact provenance:** ```typescript await litesoc.track({ event_name: "admin.system_setting_changed", actor_id: deploymentPipeline.actorId, metadata: { change_type: "production_deployment", git_sha: process.env.VERCEL_GIT_COMMIT_SHA, git_branch: process.env.VERCEL_GIT_COMMIT_REF, triggered_by: process.env.CI_ACTOR, build_id: process.env.VERCEL_DEPLOYMENT_ID, }, }); ``` Any deployment where `git_branch` is not `main` or where `triggered_by` is not a known service account should trigger an out-of-band alert. --- ### 4. Compromised SaaS Integration Credentials Your n8n workflow, Zapier zap, or Make scenario has an API key embedded in it. If that integration platform is compromised — or if an employee's integration account is taken over — the attacker inherits all the permissions of every connected service. **Signals to watch in LiteSOC:** ```typescript // Log every action taken via an integration token separately await litesoc.track({ event_name: "data.record_accessed", actor_id: integrationToken.id, actor_type: "integration", metadata: { integration_name: "n8n", workflow_id: workflowId, records_accessed: recordIds.length, access_type: "automated", }, }); ``` **Alert rule:** Integration token accessing record types it has never accessed before → Medium. Integration token volume exceeding its 30-day p99 baseline by 3x → High. --- ## Building a Supply Chain Security Posture ### Step 1: Inventory Your Attack Surface Before you can detect anomalies, you need a baseline. Audit and log all of the following: | Component | What to Track | |---|---| | npm/pip/composer packages | Name, version, registry source, install date | | OAuth apps | App name, scopes, publisher domain, authorizing users | | CI/CD actions | SHA pins, allowed triggering actors | | API keys issued to integrations | Creation date, last used, scopes | | Outbound webhook URLs | Registered URL, validation status, last delivery | Use LiteSOC's `admin.configuration_changed` event for any change to this inventory. ### Step 2: Establish Baselines Supply chain attacks are hard to detect with static rules because the malicious component often behaves *normally at first*. Behavioral detection requires knowing what normal looks like: - What endpoints does each integration token typically call? - What volume of records does each automated actor access per hour? - Which OAuth apps are authorized by >5 users in your org? - What is the typical deployment cadence (days between production pushes)? LiteSOC builds these baselines automatically from your event history and flags statistically significant deviations. ### Step 3: Monitor for Exfiltration Patterns When a supply chain compromise does execute, it almost always attempts data exfiltration. These patterns are detectable: ```typescript // Unusual outbound data volume from a service account await litesoc.track({ event_name: "data.bulk_export", actor_id: serviceAccount.id, actor_type: "service", metadata: { destination: sanitizedDestination, record_count: exportedCount, data_classification: "sensitive", }, }); ``` ```typescript // First-time access to a sensitive resource type await litesoc.track({ event_name: "data.record_accessed", actor_id: session.actorId, metadata: { resource_type: "api_keys", // Service has never accessed this before is_first_access_for_actor: true, resource_id: resourceId, }, }); ``` --- ## Responding to a Supply Chain Incident When LiteSOC fires a supply chain-related alert, the response playbook differs from a standard credential compromise: **1. Immediate containment (within 15 minutes)** - Revoke all tokens associated with the compromised component - Rotate any secrets that may have been exposed (env vars, API keys, DB credentials) - Disable the compromised integration or workflow - Log the revocation action for your SOC 2 auditors **2. Scope assessment (within 1 hour)** Use the LiteSOC forensics view to pull every action performed by the compromised actor since it was first authorized: ```bash curl -X GET "https://api.litesoc.io/events?actor_id=&limit=1000" \ -H "X-API-Key: lsoc_live_yourkey" \ -H "X-Project-ID: your-project-id" ``` Map the full timeline: when did the behavior change? What data was touched? Who else was affected? **3. Notification (within 4 hours)** If customer data was accessed, your SOC 2 obligations (and most breach notification laws) require customer notification. Every LiteSOC alert resolution generates an immutable audit record with timestamps — exactly what your legal team needs for breach notification letters. --- ## The Uncomfortable Truth About Supply Chain Risk You cannot eliminate supply chain risk. Every SaaS application has hundreds of transitive dependencies and dozens of third-party integrations. The attack surface is irreducible. What you *can* do is shrink your detection window. The difference between a catastrophic breach and a contained incident is almost always time — how quickly did you notice the anomaly? The organizations that came out of SolarWinds and XZ Utils relatively unscathed were not the ones with the best prevention. They were the ones with the best detection: structured event logs, behavioral baselines, and alert rules that fired within minutes of the first anomaly. LiteSOC gives you that detection layer in 2 minutes of integration time. The events you log today are the forensic record that saves you tomorrow. **[Start your free trial — no credit card required.](https://litesoc.io/signup)** --- ## API Security Monitoring: The Complete Guide for SaaS Teams - **URL:** https://blog.litesoc.io/api-security-monitoring-the-complete-guide-for-saas-teams - **Published:** 2026-03-24 - **Author:** Amirol Ahmad > Learn how to detect, investigate, and respond to API-layer attacks — from credential abuse and token theft to privilege escalation and data exfiltration — using structured security events. APIs are the nervous system of every modern SaaS product. They power your mobile apps, your partner integrations, your internal dashboards, and your customer automations. They also represent the single largest attack surface most engineering teams are under-monitoring. According to the 2025 Verizon DBIR, over 60% of breaches involved an application-layer vulnerability — and the majority of those were exposed through APIs. The uncomfortable truth is that most teams can tell you their API uptime but can't tell you *who* is calling their API and *what* they're doing with it. This guide walks through the API attack patterns that matter, the security events you should be logging, and how to build a monitoring layer that gives your team forensic visibility without requiring a six-figure SIEM contract. --- ## Why Traditional Monitoring Misses API Attacks Infrastructure monitoring tools (Datadog, Grafana, CloudWatch) are excellent at telling you when your API is *slow* or *down*. They are terrible at telling you when your API is being *abused*. The gap is signal quality. A `4xx` spike in your APM dashboard tells you requests are failing. It doesn't tell you: - Are those failures targeting specific accounts? - Are they coming from a coordinated set of IPs? - Has the same actor been probing your endpoints for the past 24 hours? **Security monitoring requires behavioral context, not just metrics.** --- ## The 6 API Attack Patterns You Must Detect ### 1. Credential Abuse via API Automated scripts use leaked API keys or stolen OAuth tokens to call your endpoints directly. Unlike browser-based attacks, these bypass UI rate limits entirely and can operate at machine speed. **Signals to watch:** - High-frequency requests from a single API key above your p99 baseline - Requests from unusual geographic locations for that key - Sudden access to endpoints the key has never called before **LiteSOC event to log:** ```typescript await litesoc.track({ event_name: "auth.api_key_used", actor_id: apiKey.id, actor_type: "api_key", metadata: { endpoint: req.nextUrl.pathname, method: req.method, ip_address: req.headers.get("x-forwarded-for"), }, }); ``` --- ### 2. Enumeration & Reconnaissance Before a targeted attack, adversaries probe your API to map its structure — testing which endpoints exist, what parameters they accept, and what error messages reveal about your data model. **Signals to watch:** - High rate of `404` responses from a single IP - Sequential ID probing (e.g., `/users/1001`, `/users/1002`, `/users/1003`) - Requests to undocumented or deprecated endpoints **Detection approach with LiteSOC:** ```typescript // In your API middleware const notFoundKey = `enum:${ipAddress}`; const count = await redis.incr(notFoundKey); if (count === 1) await redis.expire(notFoundKey, 300); // 5-minute window if (count > 30) { await litesoc.track({ event_name: "security.api_enumeration_detected", actor_id: ipAddress, actor_type: "ip", metadata: { endpoint_count: count, window_seconds: 300 }, }); } ``` --- ### 3. Privilege Escalation via Parameter Tampering Attackers modify request parameters (user IDs, org IDs, role fields) to access resources belonging to other tenants or escalate their own privileges. This is OWASP's **Broken Object Level Authorization (BOLA)** — the #1 API vulnerability. **Example attack:** ```http # Legitimate request GET /api/reports?org_id=org_abc123 # Tampered request — accessing another tenant's data GET /api/reports?org_id=org_xyz987 ``` **Defense — always lock queries to the authenticated org:** ```typescript // ✅ Correct — org_id comes from the verified JWT, NOT the request const { data } = await supabase .from("reports") .select("id, title, created_at") .eq("org_id", session.orgId) // <-- from auth context, never from input .gte("created_at", cutoffDate); ``` **Log every cross-tenant attempt:** ```typescript await litesoc.track({ event_name: "authz.access_denied", actor_id: session.userId, metadata: { requested_org: requestedOrgId, actual_org: session.orgId, endpoint: req.nextUrl.pathname, }, }); ``` --- ### 4. Data Exfiltration via Bulk Scraping Authorized users — or compromised accounts — systematically download large volumes of data by iterating through paginated endpoints. This is legal access used for illegal purposes. **Signals to watch:** - Actor repeatedly hitting list endpoints across many pages in a short window - Total records fetched by a single session exceeds normal thresholds - Scraping occurring outside business hours **Example detection rule:** ```typescript const scrapeKey = `scrape:${userId}:${Date.now() - (Date.now() % 3_600_000)}`; // hourly bucket const recordsThisHour = await redis.incrby(scrapeKey, pageSize); if (recordsThisHour === pageSize) await redis.expire(scrapeKey, 3600); const SCRAPE_THRESHOLD = 10_000; if (recordsThisHour > SCRAPE_THRESHOLD) { await litesoc.track({ event_name: "data.bulk_export", actor_id: userId, metadata: { records_fetched: recordsThisHour, endpoint: req.nextUrl.pathname, }, }); } ``` --- ### 5. Token Replay Attacks A stolen JWT or refresh token is used from a different device or location. Unlike credential stuffing (which triggers failed logins), token replay uses a *valid* token — making it invisible to most auth logs. **Signals to watch:** - Same token used from two different IP families or countries simultaneously - Token activity resumes after the owning user's session was idle for hours - Refresh token used to generate new access tokens at unusual frequency LiteSOC's impossible travel detection covers this automatically when you log `auth.login_success` with geolocation metadata. A token used from Berlin at 9:00 AM and São Paulo at 9:45 AM will trigger an alert regardless of whether the credentials were valid. --- ### 6. Webhook & Callback Injection (SSRF) If your platform allows users to configure webhook URLs for event delivery, attackers can supply internal URLs to probe your infrastructure — forwarding webhooks to `http://169.254.169.254/latest/meta-data/` (AWS metadata endpoint) or internal services. **Defense — always validate webhook URLs before delivery:** ```typescript export function isValidWebhookUrl(url: string): boolean { try { const parsed = new URL(url); // Block non-HTTPS if (parsed.protocol !== "https:") return false; // Block private/reserved IP ranges const hostname = parsed.hostname; const privatePatterns = [ /^localhost$/i, /^127\./, /^10\./, /^172\.(1[6-9]|2\d|3[01])\./, /^192\.168\./, /^169\.254\./, // AWS/Azure metadata /^::1$/, ]; if (privatePatterns.some((p) => p.test(hostname))) return false; return true; } catch { return false; } } ``` **Log every invalid webhook registration attempt:** ```typescript await litesoc.track({ event_name: "security.ssrf_attempt_blocked", actor_id: session.userId, metadata: { provided_url: sanitizedUrl }, }); ``` --- ## Building Your API Security Event Taxonomy The events above map to LiteSOC's 26 standard event categories. Here's the subset most relevant to API security: | Event Name | Trigger Condition | Recommended Severity | |---|---|---| | `auth.api_key_used` | Every authenticated API request | Info | | `auth.api_key_invalid` | Rejected API key | Medium | | `authz.access_denied` | BOLA / cross-tenant probe | High | | `authz.permission_denied` | Plan-gated endpoint accessed | Medium | | `security.api_enumeration_detected` | High-volume 404 pattern | High | | `security.rate_limit_exceeded` | Quota exhausted | Medium | | `security.ssrf_attempt_blocked` | Invalid webhook URL | Critical | | `data.bulk_export` | Scraping threshold crossed | High | | `data.record_deleted` | Any destructive data operation | Medium | --- ## Responding to API Security Events in LiteSOC Logging events is step one. The real value comes from the alert layer that sits on top. ### Automated Alert Rules In your LiteSOC dashboard, configure alerts for high-severity patterns: 1. **Any `authz.access_denied` from the same actor within 10 minutes** → Block actor + notify security team 2. **`security.api_enumeration_detected`** → Auto-revoke API key + create incident 3. **`data.bulk_export` exceeding 50,000 records in one hour** → Freeze account + escalate to on-call ### Forensic Investigation with the Events API When an alert fires, use the Management API to pull the full context: ```bash # Get all events from a suspicious actor in the last 24 hours curl -X GET "https://api.litesoc.io/events?actor_id=&limit=100" \ -H "X-API-Key: lsoc_live_yourkey" \ -H "X-Project-ID: your-project-id" ``` LiteSOC returns each event enriched with geolocation, VPN/Tor detection, and ISP metadata — giving you the full picture of what the actor did, from where, and in what sequence. ### Resolving Alerts Programmatically Once investigated, resolve alerts without leaving your terminal: ```bash curl -X PATCH "https://api.litesoc.io/alerts/" \ -H "X-API-Key: lsoc_live_yourkey" \ -H "Content-Type: application/json" \ -d '{"status": "resolved"}' ``` Every resolution is automatically written to your SOC 2 audit trail. --- ## Integration: Adding API Monitoring in Under 2 Minutes If you're already using LiteSOC, add API security coverage to an existing Next.js route in three steps. **Step 1 — Install the SDK:** ```bash npm install litesoc ``` **Step 2 — Initialize with your API key:** ```typescript // lib/litesoc.ts import { LiteSOC } from "litesoc"; export const litesoc = new LiteSOC({ apiKey: process.env.LITESOC_API_KEY!, projectId: process.env.LITESOC_PROJECT_ID!, }); ``` **Step 3 — Instrument your middleware:** ```typescript // middleware.ts import { litesoc } from "@/lib/litesoc"; export async function middleware(req: NextRequest) { const apiKey = req.headers.get("x-api-key"); if (!apiKey) { await litesoc.track({ event_name: "auth.api_key_invalid", metadata: { ip_address: req.headers.get("x-forwarded-for"), endpoint: req.nextUrl.pathname, }, }); return new NextResponse("Unauthorized", { status: 401 }); } // ... validate key and continue } ``` That's it. Every unauthenticated probe to your API is now a structured security event with geolocation, VPN detection, and alert potential. --- ## The Bottom Line API security monitoring doesn't require a dedicated SOC team or a six-figure SIEM. It requires two things: 1. **Structured events** — log the right signals with enough context to reconstruct an attack. 2. **Behavioral alerts** — fire when patterns, not just individual requests, cross a threshold. LiteSOC is built for exactly this use case: a 2-minute integration that gives startup engineering teams the same forensic visibility that enterprise security teams pay millions for, without the complexity, the overhead, or the noise. **Start monitoring your API layer today — [get your free API key](https://litesoc.io/signup).** --- ## Custom Threat Models: Build Detection Rules That Actually Fit Your Application - **URL:** https://blog.litesoc.io/custom-threat-models-build-detection-rules-that-actually-fit-your-application - **Published:** 2026-03-11 - **Author:** Amirol Ahmad > A deep dive into LiteSOC's Enterprise Custom Threat Models — how FOLLOWED BY chains, metadata filters, and the condition engine let you detect threats that generic SIEMs miss entirely. Every application has a unique threat surface. A fintech app fears large fund transfers to new accounts. A dev-tools platform fears bulk secret exports. A healthcare SaaS fears bulk patient record downloads from odd hours or unexpected geographies. Generic SIEM rules — written to cover every application — can't know any of that. That's the problem Custom Threat Models solve. ## What Are Custom Threat Models? Custom Threat Models are Enterprise-tier detection rules you define in LiteSOC. Instead of relying only on LiteSOC's built-in detectors (impossible travel, brute force, etc.), you describe exactly what a threat looks like for your application. LiteSOC's worker evaluates every incoming event batch against your rules in real time — no query language to learn, no YAML to deploy. Every rule has five core components: | Component | What it does | |-----------|-------------| | **Event Type** | The event to watch. Supports wildcards like `auth.*` | | **Condition** | A JSONB filter applied to matching events | | **Threshold** | How many matches within the window trigger a detection | | **Time Window** | The rolling window in minutes to count matches | | **Severity** | Alert severity: `critical`, `high`, `medium`, or `low` | ## The FOLLOWED BY Chain The most powerful feature is the **chained event**. You can say: > "Fire an alert if I see 10 failed logins within 10 minutes, **followed by** a successful login within 15 minutes." This is fundamentally different from a simple count threshold. It detects the *narrative arc* of a brute-force-to-account-takeover attack — not just the failed attempts, which could be a user forgetting their password. When a chain fires, LiteSOC automatically upgrades the severity to **CRITICAL** and names the alert *"Account Compromise Detected after Brute Force"*, regardless of what severity you configured. The system correlates the chained event to the same actor or IP that crossed the primary threshold. You don't have to do that join yourself. ``` time window (10 min) ◄─────────────────────────────► 10:00 auth.login_failed × 10 → threshold crossed 10:12 auth.login_success → chain matched ← CRITICAL alert fires 10:16 chain window expires (15 min TTL in Redis) ``` ### How the Redis Sentinel Works When the primary threshold is crossed, LiteSOC writes a **sentinel key** to Redis: ``` custom_model_sentinel:{orgId}:{modelId}:{actorOrIp} TTL = chain_time_window_minutes × 60 seconds ``` The next worker batch (runs every 30 seconds) checks for this sentinel when it sees a chained event type. If the key exists and the chained event matches the same actor or IP — the alert fires. The sentinel's TTL guarantees **no state persists beyond the chain window**. There is no cleanup job, no cron — expiry is atomic and guaranteed by Redis. ## The Condition Engine The condition is a JSONB object stored alongside your rule. Three formats are supported: ### 1. No condition — match everything ```json {} ``` Use this when the event type is enough signal. Every `data.bulk_delete` should be investigated regardless of context? Set threshold to `1`, condition to `{}`. ### 2. Single filter ```json { "field": "metadata.service", "operator": "equals", "value": "ssh" } ``` ### 3. AND / OR / NOT tree ```json { "logical_operator": "AND", "filters": [ { "field": "metadata.network_intelligence.is_datacenter", "operator": "equals", "value": "true" }, { "field": "metadata.service", "operator": "equals", "value": "ssh" } ] } ``` The engine walks this tree recursively. `AND` requires all children to match. `OR` requires at least one. `NOT` negates the first child. There's no depth limit — you can nest `OR` groups inside `AND` groups for arbitrarily complex logic. ### Field Paths Condition filters reference fields using dot-notation paths: | Prefix | Resolves to | Example | |--------|-------------|---------| | `metadata.` | `event.metadata[key]` (arbitrary depth) | `metadata.network_intelligence.is_vpn` | | `actor.` | `event.actor[key]` | `actor.email` | | Root fields | Top-level event properties | `user_ip`, `event` | The `metadata.*` namespace is yours to populate with whatever context your application has. LiteSOC enriches it with network intelligence (`is_vpn`, `is_tor`, `is_datacenter`, `network_type`) and geolocation (`country_code`, `city`, `isp`) automatically during ingestion. ### All Supported Operators | Operator | Aliases | Use for | |----------|---------|---------| | `equals` | `eq` | Exact string / number match | | `not_equals` | `neq`, `ne` | Exclusion | | `contains` | — | Substring search (great for `metadata.raw_log`) | | `not_contains` | — | Negative substring | | `starts_with` | — | Prefix match | | `ends_with` | — | Suffix match | | `gt` / `lt` | `greater_than` / `less_than` | Numeric comparisons | | `gte` / `lte` | `greater_than_or_equal` / `less_than_or_equal` | Numeric range | | `in` | — | Value is one of an array | | `not_in` | — | Value is not in an array | | `exists` | — | Field is present and non-null | | `not_exists` | — | Field is absent or null | | `regex` | — | Case-insensitive regex (cached, never recompiled per event) | A quick note on the `regex` operator: patterns are compiled once and cached in a module-level `Map`. Even if you're processing 10,000 events per batch, the same `/(sqlmap|nikto|masscan)/i` is never recompiled twice. This was a deliberate performance decision. ## Performance: How Rules Scale The naive implementation of "for every rule, scan every event" is O(rules × events). At 50 rules and 100 events per batch, that's 5,000 iterations — before any condition evaluation. LiteSOC's worker builds a **pre-filter index** once per org batch, before the rule loop: ```typescript // Built once — O(events) const exactTypeIndex = new Map(); const prefixTypeIndex = new Map(); for (const ev of orgEvents) { const et = ev.event.toLowerCase(); exactTypeIndex.set(et, [...(exactTypeIndex.get(et) ?? []), ev]); const prefix = et.slice(0, et.indexOf(".")); prefixTypeIndex.set(prefix, [...(prefixTypeIndex.get(prefix) ?? []), ev]); } // Rule loop — O(1) type lookup, then condition eval only on candidates const candidates = rule.event_type.endsWith(".*") ? prefixTypeIndex.get(rule.event_type.slice(0, -2)) ?? [] : exactTypeIndex.get(rule.event_type) ?? []; const matches = candidates.filter(ev => evaluateCondition(ev, rule.condition)); ``` Instead of checking every event against every rule, each rule immediately gets only the events of the right type. Condition evaluation — the expensive part — only runs on actual candidates. In practice, most rules will evaluate against a handful of events even in a busy batch. ## Six Rules Worth Adding Today Here are production-ready rules you can copy directly into the Custom Threat Models builder. ### 1 — Compromised Account (FOLLOWED BY) The canonical account takeover pattern. ```json { "event_type": "auth.login_failed", "condition": {}, "threshold": 10, "time_window_minutes": 10, "chained_event_type": "auth.login_success", "chain_time_window_minutes": 15, "severity": "high" } ``` ### 2 — Data Exfiltration from Non-Approved Country ```json { "event_type": "data.*", "condition": { "logical_operator": "AND", "filters": [ { "field": "event", "operator": "contains", "value": "export" }, { "field": "metadata.country_code", "operator": "not_in", "value": ["US", "GB", "DE", "CA", "AU"] } ], "group_by": "user_ip" }, "threshold": 1, "time_window_minutes": 60, "severity": "critical" } ``` ### 3 — SSH Botnet (Datacenter Source) Residential users don't SSH from AWS IP blocks. Automated attack tools do. ```json { "event_type": "auth.login_failed", "condition": { "logical_operator": "AND", "filters": [ { "field": "metadata.service", "operator": "equals", "value": "ssh" }, { "field": "metadata.network_intelligence.is_datacenter", "operator": "equals", "value": "true" } ], "group_by": "user_ip" }, "threshold": 5, "time_window_minutes": 5, "severity": "critical" } ``` ### 4 — VPN Access to Admin Endpoints ```json { "event_type": "data.*", "condition": { "logical_operator": "AND", "filters": [ { "field": "metadata.endpoint", "operator": "starts_with", "value": "/api/v1/admin" }, { "logical_operator": "OR", "filters": [ { "field": "metadata.network_intelligence.is_vpn", "operator": "equals", "value": "true" }, { "field": "metadata.network_intelligence.is_tor", "operator": "equals", "value": "true" }, { "field": "metadata.network_intelligence.is_proxy", "operator": "equals", "value": "true" } ] } ] }, "threshold": 1, "time_window_minutes": 30, "severity": "high" } ``` ### 5 — Privilege Escalation Spike ```json { "event_type": "admin.*", "condition": { "logical_operator": "OR", "filters": [ { "field": "event", "operator": "contains", "value": "privilege_escalation" }, { "field": "event", "operator": "contains", "value": "role.changed" }, { "field": "event", "operator": "contains", "value": "permission.changed" } ], "group_by": "actor.id" }, "threshold": 3, "time_window_minutes": 15, "severity": "critical" } ``` ### 6 — Known Attack Tool Scanner ```json { "event_type": "security.*", "condition": { "filters": [ { "field": "metadata.user_agent", "operator": "regex", "value": "(sqlmap|nikto|masscan|zgrab|nuclei|nmap|burpsuite|zap)" } ] }, "threshold": 1, "time_window_minutes": 60, "severity": "high" } ``` ## Common Pitfalls **Boolean values must be strings.** The condition engine compares via `String(actualValue) === String(expectedValue)`. Write `"value": "true"` not `"value": true`. This is a known quirk and is documented in the operator reference. **Empty `not_in` arrays always match.** `{ "operator": "not_in", "value": [] }` is trivially true — nothing is in an empty array. Add a guard condition or use `exists` instead. **`regex` with catastrophic backtracking.** The engine silently returns `false` on a thrown RegExp error, so a malformed or pathological pattern won't crash the worker — but it also won't detect anything. Test regex patterns externally before deploying. **Enriched fields are always available.** `metadata.network_intelligence.*` and geolocation fields are injected by LiteSOC during ingestion enrichment, before the worker runs. You don't need to send them — and you can't override them even if you try. ## Getting Started Custom Threat Models are available on the **Enterprise plan**. To create your first rule: 1. Go to **Dashboard → Threat Models → New Rule** 2. Choose an event type (use the wildcard `auth.*` to catch all auth events) 3. Set a threshold and time window 4. Optionally add a condition using the visual Rule Builder 5. Save — the rule is active on the next worker cycle (within 30 seconds) The full operator reference, field path guide, and more example rules are in the [Enterprise documentation](/help/enterprise/custom-threat-models-overview). --- ## Beyond the App: Monitoring SSH Brute Force (Port 22) with LiteSOC - **URL:** https://blog.litesoc.io/beyond-the-app-monitoring-ssh-brute-force-port-22-with-litesoc - **Published:** 2026-03-11 - **Author:** Amirol Ahmad > Learn how to bridge the gap between infrastructure and application security by monitoring SSH brute force attacks using LiteSOC When we talk about Security Observability, most founders focus entirely on their web application—login pages, password resets, and API endpoints. But there is a "back door" that almost every startup has, which is often left in the dark: **The SSH Port (Port 22).** While Cloudflare protects your front gate, and LiteSOC monitors your "living room" (your app), your server's SSH port is constantly being hammered by botnets from around the world. In this post, we’ll show you how to use LiteSOC to shine a light on your infrastructure security. ## The Problem: The Invisible Hammer If you run a Linux server (AWS, DigitalOcean, Vercel doesn't count as it's managed), your `/var/log/auth.log` is likely filled with thousands of "Failed password" entries. These are automated scripts trying to guess your root password. Standard tools like `Fail2Ban` are great for blocking these IPs, but they lack **Visibility**: 1. You don't know *where* the attacks are coming from visually. 2. You don't have a *unified timeline* showing if the same IP attacking your SSH is also attacking your App. 3. You don't get **Behavioral Alerts** (like an admin successfully logging in from a new country). ## The Solution: LiteSOC as a Host-Based "Spy" Since LiteSOC is API-first, it doesn't care if the "event" comes from a JavaScript app or a Linux Bash script. We can turn your server into a LiteSOC "sensor" in under 2 minutes. ### Step 1: The "Log Watcher" Script On your Linux server, you can create a simple script that "tails" your authentication logs and forwards failures to LiteSOC. Create a file named `litesoc-monitor.sh`: ```bash #!/bin/bash # Your LiteSOC API Key API_KEY="lsoc_live_your_key_here" # Watch the auth log for failed passwords tail -F /var/log/auth.log | grep --line-buffered "Failed password" | while read line; do # Extract the IP address using Regex IP=$(echo $line | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" | head -1) # Send to LiteSOC Ingestion API curl -X POST https://api.litesoc.io/collect \ -H "Content-Type: application/json" \ -H "X-API-Key: $API_KEY" \ -d "{ \"events\": [{ \"event_name\": \"auth.login_failed\", \"actor_id\": \"ssh-daemon\", \"user_ip\": \"$IP\", \"metadata\": { \"service\": \"ssh\", \"raw_log\": \"$line\", \"port\": 22 } }] }" ``` ### Step 2: Run in Background Run this script using nohup or a systemd service to ensure it monitors your server 24/7. ### Why This is a Game Changer **1. Visual Forensic Maps** Instead of reading a text file, you can now open your LiteSOC Dashboard and see a heatmap of which countries are currently trying to brute-force your server. Seeing a cluster of red dots in a country you don't operate in is an immediate signal to harden your firewall. **2. Behavioral AI for Admins** This is the most powerful part. If you (the Admin) usually log in from Malaysia, and suddenly there is a Successful SSH Login from an IP in Russia, LiteSOC’s Impossible Travel engine will trigger. You will receive an instant alert on Slack: ```🚨 CRITICAL: Impossible Travel detected for ssh-daemon. User logged in from Russia 2 minutes after being in Malaysia.``` **3. Unified Security Posture** By sending server logs to LiteSOC, you get a single Security Health Score that reflects your entire stack. You can correlate data: "Is the IP attacking my SSH the same one that tried to brute-force my WordPress login earlier?" ### Conclusion Security shouldn't be fragmented. By bridging the gap between your server's raw logs and LiteSOC’s intelligent dashboard, you move from "guessing" your security status to "knowing" it. Stop letting Port 22 be a blind spot. Integrate your server logs with LiteSOC today. **New to LiteSOC? Start your [14-day Pro Trial for free](https://www.litesoc.io/signup?plan=pro&billing=monthly).** --- ## Vibe coding is great, but are people thinking about cybersecurity? - **URL:** https://blog.litesoc.io/vibe-coding-is-great-but-are-people-thinking-about-cybersecurity - **Published:** 2026-03-07 - **Author:** Amirol Ahmad > I’ve been seeing more and more people building apps with AI and vibe coding. Shipping products faster than ever. Right now, building software is easier than ever. With AI tools and the rise of vibe coding, developers can ship products in days instead of weeks. A lot of indie hackers and startups are launching faster than ever. But there’s one thing I rarely see people talk about: **security**. ## My Background My name is Amirol, Founder of LiteSOC. My career started as a System Administrator before I moved into Software Engineering 18 years ago. Later, I continued my studies with a Master’s in Cybersecurity at Universiti Kebangsaan Malaysia (UKM). I also hold the Certified Ethical Hacker (CEH) and Certified Information Systems Security Professional (CISSP) certifications. Over the years, I’ve also taken on side projects building web applications for clients. Because of that, one thing became very clear to me: monitoring logs is essential. But the way we handle logs today is still painful. ## The Problems I Kept Facing While working on different projects, I kept running into the same issues again and again. 1. Manually checking logs is exhausting Most of the time, logs just sit there until something breaks. Nobody wants to spend time opening log files and scrolling through thousands of lines. 2. Traditional logs don’t tell the full story Most logs only show basic information like IP addresses and endpoints. They rarely provide meaningful insights into what actually happened. 3. Alerts are not built-in If you want alerts, you usually need to set up multiple tools like log collectors, dashboards, and alerting systems. 4. Logs don’t highlight security threats Things like brute-force login attempts, endpoint scanning, or abnormal request patterns are buried inside raw logs. 5. Finding the root cause takes too long When something suspicious happens, you often need to manually investigate thousands of log lines just to understand the timeline. 6. The setup is too complex for small teams Many solutions require setting up ELK stacks, SIEM platforms, or complex infrastructure. 7. Most security tools are built for enterprises Large companies can afford expensive SIEM platforms, but indie developers and small startups usually can’t. ## So I Built LiteSOC That frustration is exactly why I built LiteSOC. LiteSOC is designed to make security monitoring simple for developers, indie hackers, and startups who don’t have the resources to run a full security operations center. Instead of just storing logs, LiteSOC helps you understand what’s happening inside your application. With LiteSOC, you can: - Monitor logs in real time - Receive alerts when suspicious activity happens - Detect brute-force login attempts - Identify abnormal traffic patterns - See security insights instead of raw log lines ## The Goal My goal with LiteSOC is simple: Help developers gain better visibility and security without needing expensive enterprise tools or complex infrastructure. Because security shouldn’t only be available to big companies. --- ## Introducing the LiteSOC Integrations Marketplace - **URL:** https://blog.litesoc.io/introducing-the-litesoc-integrations-marketplace - **Published:** 2026-03-06 - **Author:** Amirol Ahmad > Connect your auth stack in minutes. Announcing official integrations for Supabase, Auth0, and n8n — with one-click setup and full Behavioral AI support. Today we're excited to launch the **LiteSOC Integrations Marketplace** — a central hub where you can connect your favorite authentication providers and workflow tools to LiteSOC in under 5 minutes. ## Why Integrations Matter Modern SaaS applications rarely exist in isolation. Your users authenticate through Supabase, Auth0, Clerk, or Firebase. Your ops team automates with n8n or Zapier. Your security monitoring needs to capture events from all of these sources. Until now, connecting these services to a security monitoring platform meant writing custom code, managing webhooks manually, and hoping nothing breaks during your next deployment. **Not anymore.** ## Three Official Integrations, Ready Today ### 🟢 Supabase Integration If you're building with Supabase, this is the integration you've been waiting for. **One-click OAuth setup** — no API keys to copy, no webhook URLs to configure. Just connect your Supabase project and LiteSOC automatically tracks: - `auth.signup_success` — New user registrations - `auth.login_success` — Successful sign-ins - `auth.login_failed` — Failed login attempts - `auth.password_reset_requested` — Password reset flows - `auth.mfa_enabled` / `auth.mfa_disabled` — MFA changes - `admin.user_deleted` — User deletions All events include full IP addresses, enabling our Behavioral AI to detect impossible travel, brute force attacks, and geo-anomalies. [**Set up Supabase →**](https://litesoc.io/docs/integrations/supabase) --- ### 🟠 Auth0 Integration Enterprise teams using Auth0 can now stream authentication events directly to LiteSOC using **Actions** or **Log Streams**. Our Auth0 integration captures: - Login success and failures - Signup events - MFA enrollment and authentication - Password changes - Account blocks and rate limiting events The integration preserves **full client IP addresses** — critical for accurate Behavioral AI detection that many SIEM solutions miss. [**Set up Auth0 →**](https://litesoc.io/docs/integrations/auth0) --- ### 🔴 n8n Community Node For teams that live in n8n, we've published an official **community node** that brings LiteSOC into your automation workflows. Build powerful security automations without writing code: - **Trigger workflows** when specific events occur - **Query events** from your LiteSOC timeline - **Resolve alerts** automatically based on custom logic - **Enrich data** by combining LiteSOC events with other sources Perfect for: - Auto-responding to security incidents - Creating custom Slack/Discord notifications - Building audit report generators - Implementing custom detection rules [**Install the n8n Node →**](https://litesoc.io/docs/integrations/n8n) --- ## Built for Security Teams Every integration follows our SOC 2-compliant standards: | Feature | Supabase | Auth0 | n8n | |---------|----------|-------|-----| | Full IP capture | ✅ | ✅ | ✅ | | Behavioral AI ready | ✅ | ✅ | ✅ | | Event normalization | ✅ | ✅ | ✅ | | Rate limiting | ✅ | ✅ | ✅ | | Audit logging | ✅ | ✅ | ✅ | All integrations normalize events to our [26 standard security events](/blog/26-security-events-every-saas-should-track), so your dashboards and alerts work consistently regardless of the source. ## What's Coming Next We're already working on integrations for: - **Clerk** — Modern user management for Next.js apps - **Firebase** — Google's authentication and app platform - **WorkOS** — Enterprise SSO and directory sync - **Stytch** — Passwordless authentication APIs - **Okta** — Enterprise identity management Want to see a specific integration? [Let us know on Twitter](https://twitter.com/mylitesoc) or [open a GitHub issue](https://github.com/LiteSOC). ## Get Started in 5 Minutes 1. **Go to Integrations** — Visit [litesoc.io/docs/integrations](https://litesoc.io/docs/integrations) 2. **Choose your provider** — Supabase, Auth0, or n8n 3. **Follow the guide** — Each integration has step-by-step instructions 4. **Watch events flow** — See security events appear in your dashboard instantly No credit card required. Start with our free tier and upgrade when you're ready. --- ## The Bigger Picture These integrations are just the beginning. Our vision is simple: **every authentication event in your stack should flow through LiteSOC**, normalized, enriched with threat intelligence, and ready for your security team to act on. Whether you're a two-person startup or a 200-person scale-up, you deserve enterprise-grade security monitoring without enterprise complexity. **Welcome to the future of lightweight security operations.** [**Explore the Integrations Marketplace →**](https://litesoc.io/docs/integrations) --- ## Brute Force Detection: Patterns, Thresholds, and Response Strategies - **URL:** https://blog.litesoc.io/brute-force-detection-patterns-thresholds-and-response-strategies - **Published:** 2026-03-05 - **Author:** Amirol Ahmad > A comprehensive guide to detecting and preventing brute force attacks on your SaaS application with practical implementation examples. Brute force attacks remain one of the most common threats to SaaS applications. Despite being conceptually simple—try every possible password until one works—they're surprisingly effective when defenses are weak. ## The Anatomy of a Brute Force Attack Modern brute force attacks have evolved beyond simple password guessing: ### Credential Stuffing Attackers use leaked username/password combinations from other breaches, hoping users reused credentials. ### Password Spraying Instead of trying many passwords against one account, attackers try common passwords against many accounts to avoid lockouts. ### Distributed Attacks Requests come from thousands of IPs (botnets), making IP-based blocking ineffective. ## Detection Patterns ### Pattern 1: High Velocity Single-Target ``` 10:00:01 - auth.login_failed - user@example.com - 203.0.113.50 10:00:02 - auth.login_failed - user@example.com - 203.0.113.50 10:00:03 - auth.login_failed - user@example.com - 203.0.113.50 10:00:04 - auth.login_failed - user@example.com - 203.0.113.50 10:00:05 - auth.login_failed - user@example.com - 203.0.113.50 ``` **Indicators:** - Same target account - Same source IP - Rapid succession (< 1 second apart) **Detection Rule:** ```typescript const BRUTE_FORCE_THRESHOLD = 5; const WINDOW_SECONDS = 60; async function detectBruteForce(event: SecurityEvent) { const key = `bf:${event.actor_id}:${event.ip_address}`; const count = await redis.incr(key); if (count === 1) { await redis.expire(key, WINDOW_SECONDS); } if (count >= BRUTE_FORCE_THRESHOLD) { await createAlert({ type: "brute_force", severity: "critical", actor_id: event.actor_id, ip_address: event.ip_address, attempt_count: count, }); } } ``` ### Pattern 2: Distributed Single-Target ``` 10:00:01 - auth.login_failed - user@example.com - 203.0.113.50 10:00:02 - auth.login_failed - user@example.com - 198.51.100.23 10:00:03 - auth.login_failed - user@example.com - 192.0.2.78 10:00:04 - auth.login_failed - user@example.com - 172.16.0.45 10:00:05 - auth.login_failed - user@example.com - 10.0.0.123 ``` **Indicators:** - Same target account - Different source IPs - Coordinated timing **Detection Rule:** ```typescript const DISTRIBUTED_THRESHOLD = 10; const WINDOW_SECONDS = 300; async function detectDistributedBruteForce(event: SecurityEvent) { const key = `dbf:${event.actor_id}`; await redis.sadd(key, event.ip_address); await redis.expire(key, WINDOW_SECONDS); const uniqueIPs = await redis.scard(key); if (uniqueIPs >= DISTRIBUTED_THRESHOLD) { await createAlert({ type: "distributed_brute_force", severity: "critical", actor_id: event.actor_id, unique_ips: uniqueIPs, }); } } ``` ### Pattern 3: Password Spraying ``` 10:00:01 - auth.login_failed - alice@example.com - 203.0.113.50 10:00:02 - auth.login_failed - bob@example.com - 203.0.113.50 10:00:03 - auth.login_failed - carol@example.com - 203.0.113.50 10:00:04 - auth.login_failed - dave@example.com - 203.0.113.50 10:00:05 - auth.login_failed - eve@example.com - 203.0.113.50 ``` **Indicators:** - Different target accounts - Same source IP - Common password attempts **Detection Rule:** ```typescript const SPRAY_THRESHOLD = 5; const WINDOW_SECONDS = 300; async function detectPasswordSpray(event: SecurityEvent) { const key = `spray:${event.ip_address}`; await redis.sadd(key, event.actor_id); await redis.expire(key, WINDOW_SECONDS); const uniqueTargets = await redis.scard(key); if (uniqueTargets >= SPRAY_THRESHOLD) { await createAlert({ type: "password_spray", severity: "high", ip_address: event.ip_address, unique_targets: uniqueTargets, }); } } ``` ## Threshold Tuning Thresholds need to balance security with user experience: | Attack Type | Recommended Threshold | Window | False Positive Risk | |------------|----------------------|--------|-------------------| | Single-target | 5 attempts | 1 min | Low | | Distributed | 10 unique IPs | 5 min | Low | | Password spray | 5 unique targets | 5 min | Medium | ### Adjusting for Your Application Consider these factors: - **User base size**: Larger = higher thresholds - **Password complexity requirements**: Stronger = lower thresholds - **MFA adoption**: Higher = can be more lenient - **Industry**: Financial/Healthcare = stricter ## Response Strategies ### Immediate Response 1. **Temporary Account Lock** ```typescript async function lockAccount(actorId: string, duration: number) { await redis.set(`lock:${actorId}`, "1", "EX", duration); await notifyUser(actorId, "account_locked"); } ``` 2. **IP Block** ```typescript async function blockIP(ipAddress: string, duration: number) { await redis.set(`block:${ipAddress}`, "1", "EX", duration); } ``` 3. **CAPTCHA Enforcement** ```typescript async function requireCaptcha(actorId: string) { await redis.set(`captcha:${actorId}`, "1", "EX", 3600); } ``` ### Progressive Response Implement escalating responses based on severity: | Attempt Count | Response | |--------------|----------| | 3 | Show CAPTCHA | | 5 | Delay response by 5 seconds | | 10 | Lock account for 15 minutes | | 20 | Lock account for 1 hour | | 50+ | Require password reset | ```typescript async function progressiveResponse(count: number, actorId: string) { if (count >= 50) { await forcePasswordReset(actorId); } else if (count >= 20) { await lockAccount(actorId, 3600); } else if (count >= 10) { await lockAccount(actorId, 900); } else if (count >= 5) { await delay(5000); } else if (count >= 3) { return { requireCaptcha: true }; } } ``` ## Integration with LiteSOC LiteSOC provides built-in brute force detection. Simply send your auth events: ```typescript await litesoc.track({ event: "auth.login_failed", actor: { id: userId, email: userEmail }, metadata: { reason: "invalid_password" } }); ``` LiteSOC automatically: - Detects all three attack patterns - Correlates events across time windows - Sends real-time alerts - Provides forensic investigation tools ## Best Practices Checklist - [ ] Rate limit authentication endpoints - [ ] Implement account lockout after N failures - [ ] Use CAPTCHA after initial failures - [ ] Monitor for distributed attacks (not just per-IP) - [ ] Alert on successful login after failures - [ ] Log all authentication attempts - [ ] Require MFA for sensitive accounts - [ ] Use secure password requirements - [ ] Monitor for credential stuffing patterns ## Conclusion Brute force detection is about pattern recognition and appropriate response. By implementing multiple detection layers and progressive responses, you can protect your users without creating friction for legitimate access. --- **Want automated brute force detection?** [Try LiteSOC free](/signup) and get real-time alerts when attacks happen. --- ## API Key Security: 10 Best Practices Every Developer Should Follow - **URL:** https://blog.litesoc.io/api-key-security-10-best-practices-every-developer-should-follow - **Published:** 2026-03-05 - **Author:** Amirol Ahmad > Learn how to secure your API keys, detect compromised credentials, and implement proper key rotation strategies for your SaaS application. API keys are the backbone of modern application security. They authenticate requests, authorize access, and track usage. But when mishandled, they become your biggest vulnerability. ## The Cost of Leaked API Keys In 2025 alone, over **6 million API keys** were exposed in public GitHub repositories. The consequences ranged from unauthorized data access to complete infrastructure takeovers costing companies millions. Here's what we've seen at LiteSOC: - Average time from key leak to exploitation: **12 minutes** - Average cost of a compromised API key: **$47,000** - Percentage of incidents caused by hardcoded keys: **68%** ## 10 Best Practices for API Key Security ### 1. Never Hardcode Keys in Source Code This seems obvious, but it's still the #1 cause of key leaks. ```typescript // ❌ Never do this const API_KEY = "lsoc_live_a1b2c3d4e5f6"; // ✅ Use environment variables const API_KEY = process.env.LITESOC_API_KEY; ``` ### 2. Use Different Keys for Each Environment Maintain separate keys for development, staging, and production: - `lsoc_test_*` for development/testing - `lsoc_live_*` for production only If a test key leaks, your production data remains safe. ### 3. Implement Key Rotation Rotate your API keys regularly, even if you don't suspect a breach: | Environment | Rotation Frequency | |-------------|-------------------| | Production | Every 90 days | | Staging | Every 30 days | | Development | On developer offboarding | ### 4. Use Short-Lived Tokens When Possible For client-side applications, use short-lived tokens instead of long-lived API keys: ```typescript // Request a short-lived token (expires in 1 hour) const { token, expiresAt } = await litesoc.createSessionToken({ permissions: ["events:write"], expiresIn: "1h", }); ``` ### 5. Restrict Key Permissions Apply the principle of least privilege. If a key only needs to write events, don't give it admin access: ```typescript // Create a key with limited scope const key = await litesoc.createApiKey({ name: "Event Ingestion Only", permissions: ["events:write"], // No admin, read, or delete permissions }); ``` ### 6. Allowlist IP Addresses Restrict where your API keys can be used from: - Production servers only - Specific CIDR ranges - Reject requests from unknown IPs ### 7. Monitor Key Usage Patterns Set up alerts for anomalous behavior: - Sudden spike in API calls - Requests from new geographic locations - Usage outside business hours - Failed authentication attempts LiteSOC automatically tracks all of these and alerts you in real-time. ### 8. Use Git Pre-Commit Hooks Prevent accidental commits of API keys: ```bash # .pre-commit-config.yaml repos: - repo: https://github.com/gitleaks/gitleaks rev: v8.18.0 hooks: - id: gitleaks ``` ### 9. Encrypt Keys at Rest Store API keys encrypted in your database: ```typescript // Use AES-256 encryption for stored keys const encryptedKey = await encrypt(apiKey, process.env.ENCRYPTION_KEY); await db.apiKeys.create({ hash: sha256(apiKey), // For lookup encrypted: encryptedKey // For recovery }); ``` ### 10. Have an Incident Response Plan Know what to do when a key is compromised: 1. **Revoke immediately** - Don't wait to investigate 2. **Generate new key** - Update all services 3. **Review audit logs** - Understand the blast radius 4. **Notify affected users** - If customer data was accessed 5. **Post-mortem** - Prevent future leaks ## How LiteSOC Helps LiteSOC monitors your API key usage and detects: - **Credential stuffing** - Multiple failed auth attempts - **Anomalous usage** - Unusual request patterns - **Geographic anomalies** - Requests from unexpected locations - **Privilege escalation** - Attempts to access unauthorized resources When we detect suspicious activity, you get an alert within seconds—not days. ## Conclusion API key security isn't just about preventing leaks. It's about building a defense-in-depth strategy that assumes keys will eventually be compromised. By following these best practices and implementing proper monitoring with tools like LiteSOC, you can detect and respond to threats before they become breaches. --- **Ready to secure your API keys?** [Start your free trial](/signup) and get real-time alerts for credential compromises. --- ## The First 24 Hours After a Security Incident: A Startup Playbook - **URL:** https://blog.litesoc.io/the-first-24-hours-after-a-security-incident-a-startup-playbook - **Published:** 2026-03-01 - **Author:** Amirol Ahmad > When a security incident hits, every minute counts. Here's exactly what to do in the first 24 hours—even if you don't have a security team. It's 2 AM. Your phone buzzes. A customer just emailed: "Why am I getting password reset emails I didn't request?" Your stomach drops. This is the moment every founder dreads. You might be dealing with a security incident—and you have no idea what to do next. Take a breath. We've got you. This is the playbook for the first 24 hours after discovering a potential security incident. It's designed for startups without dedicated security teams, and it will help you contain damage, preserve evidence, and communicate effectively. ## Hour 0-1: Confirm and Contain ### Don't Panic (But Move Fast) Your first instinct might be to immediately shut everything down. Resist it. Rash actions can: - Destroy evidence you'll need later - Alert attackers that they've been discovered - Cause more damage than the incident itself Instead, take 5 minutes to assess. ### Confirm It's Actually an Incident Not every anomaly is a breach. Ask yourself: - Is this a real security event or a false positive? - Could this be explained by legitimate user behavior? - Is there corroborating evidence? **Signs it's real:** - Multiple users reporting the same issue - Unusual patterns in your security logs - Access from unexpected locations or IPs - Data that shouldn't exist in certain places ### Assemble Your Incident Team Even at a 5-person startup, you need defined roles: | Role | Responsibility | Who | |------|---------------|-----| | Incident Lead | Coordinates response, makes decisions | CTO or most senior engineer | | Technical Lead | Investigates and contains | Senior engineer | | Communications | Updates stakeholders | CEO or founder | | Scribe | Documents everything | Anyone available | The scribe role is critical. You'll need a timeline later. ### Initial Containment Based on what you know, take the minimum actions needed to stop active damage: **If credentials are compromised:** - Force password reset for affected accounts - Revoke active sessions - Temporarily disable affected accounts if needed **If an API key is exposed:** - Rotate the key immediately - Check logs for unauthorized usage - Assess what data the key could access **If there's active unauthorized access:** - Block the attacking IP (but save it first) - Revoke the compromised access method - Do NOT delete anything yet ```bash # Example: Block an IP while preserving evidence # First, log it echo "$(date): Blocking IP 203.0.113.42 - unauthorized access attempt" >> incident-log.txt # Then block (example for AWS security group) aws ec2 revoke-security-group-ingress \ --group-id sg-xxx \ --protocol tcp \ --port 443 \ --cidr 203.0.113.42/32 ``` ## Hour 1-4: Investigate ### Preserve Evidence Before you dig in, make sure you're not destroying evidence: - **Don't delete logs** (even if they contain sensitive data) - **Don't reboot servers** unless absolutely necessary - **Take snapshots** of affected systems - **Export relevant logs** to a separate location ```bash # Export logs before they rotate cp /var/log/auth.log /incident-evidence/auth-$(date +%Y%m%d).log cp /var/log/nginx/access.log /incident-evidence/nginx-$(date +%Y%m%d).log ``` ### Build a Timeline This is where security event logging pays off. You need to answer: 1. **When did the incident start?** 2. **What was the initial access vector?** 3. **What did the attacker do after gaining access?** 4. **What data or systems were affected?** If you're using LiteSOC, pull your event timeline: ```typescript // Get all events for the affected user in the last 7 days const events = await litesoc.events.list({ actor_id: affectedUserId, start_date: sevenDaysAgo, end_date: now, }); // Look for the anomaly that started it all const anomalies = await litesoc.alerts.list({ status: 'open', start_date: sevenDaysAgo, }); ``` ### Key Questions to Answer **For authentication incidents:** - When was the last legitimate login? - What IP addresses accessed the account? - Was MFA bypassed or was it not enabled? - Were any settings changed after the suspicious login? **For data exposure:** - What data was accessed? - Was data exported or downloaded? - Who had access to the exposed data? - How long was it exposed? **For API key compromise:** - When was the key last used legitimately? - What endpoints were called with the compromised key? - Was any data modified or exfiltrated? - Where was the key exposed (git commit, log file, etc.)? ### Determine the Blast Radius You need to understand the scope: - **Users affected**: 1? 100? All of them? - **Data exposed**: Emails? Passwords? Payment info? - **Systems compromised**: Just the app? Database? Infrastructure? - **Business impact**: Service disruption? Data loss? Reputational damage? Document everything. You'll need this for stakeholder communication and potentially for regulators. ## Hour 4-8: Communicate ### Internal Communication Your team needs to know what's happening: **What to share:** - We're investigating a security incident - Here's what we know so far - Here's what we're doing about it - Here's how to escalate if you notice anything related **What NOT to share (yet):** - Speculation about attackers - Unconfirmed scope or impact - Blame for individuals ### Customer Communication This is where most startups mess up. The instinct is to either: 1. Say nothing and hope it goes away 2. Over-share in a panic Both are wrong. **When to notify customers:** - If their data was accessed or exposed - If they need to take action (change passwords, etc.) - If the service is degraded due to containment measures **Template for initial customer communication:** ``` Subject: Security Notice - Action Required Hi [Customer], We detected suspicious activity on your account on [date]. As a precaution, we've [action taken - e.g., reset your password]. What you should do: 1. [Specific action they need to take] 2. [Another action if applicable] What we're doing: - Investigating the scope of the activity - Implementing additional security measures - We'll update you within [timeframe] If you have questions, contact us at [security email]. [Your name] ``` **What NOT to do:** - Don't minimize ("a minor incident") - Don't speculate about attackers - Don't promise things you can't deliver - Don't use legal jargon that confuses people ### Legal and Regulatory Depending on your situation, you may have legal obligations: **GDPR (if you have EU users):** - 72-hour notification requirement to supervisory authority - User notification if high risk to rights and freedoms **US State Laws (California, etc.):** - Breach notification requirements vary by state - Generally 30-60 days, but check your specific requirements **Industry Specific:** - HIPAA (healthcare): 60 days for breach notification - PCI-DSS (payment cards): Immediate notification to card brands **Our advice:** If the incident involves personal data, loop in legal counsel within the first 8 hours. Don't wait. ## Hour 8-16: Remediate ### Fix the Root Cause Containment stops the bleeding. Remediation fixes the wound. **Common root causes and fixes:** | Root Cause | Fix | |-----------|-----| | Weak password | Enforce password requirements, implement MFA | | Exposed API key | Rotate key, add secrets scanning to CI/CD | | SQL injection | Parameterized queries, input validation | | Session hijacking | Implement proper session management, add fingerprinting | | Phishing | Security awareness training, implement DMARC | | Excessive permissions | Implement least privilege, regular access reviews | ### Implement Additional Controls What would have detected this faster? Implement it now: - Add security event logging if you don't have it - Enable alerting for the attack pattern you just experienced - Add monitoring for indicators of compromise - Review and tighten access controls ### Validate the Fix Before declaring victory: - Test that the vulnerability is actually fixed - Verify containment measures can be safely removed - Check that normal operations are restored - Monitor for signs of attacker persistence ## Hour 16-24: Document and Learn ### Create an Incident Report Your incident report should include: 1. **Executive Summary** - What happened (one paragraph) - Impact (users affected, data exposed) - Current status 2. **Timeline** - When incident started - When detected - Key actions taken and when - When resolved 3. **Root Cause Analysis** - How did the attacker get in? - Why wasn't it detected sooner? - What made the attack possible? 4. **Impact Assessment** - Data accessed/exposed - Users affected - Business impact - Regulatory implications 5. **Remediation Actions** - Immediate fixes - Long-term improvements - Timeline for implementation 6. **Lessons Learned** - What went well - What could improve - Action items with owners and deadlines ### The Blameless Post-Mortem Within 48-72 hours, hold a post-mortem meeting. The goal isn't to assign blame—it's to improve. **Questions to discuss:** - How did we detect the incident? - Could we have detected it faster? - Did our response process work? - What tools or information were missing? - How do we prevent this specific issue? - How do we prevent this class of issues? **Output:** Concrete action items with owners and deadlines. ## The Checklist Print this out. Put it somewhere accessible. ### Immediate (Hour 0-1) - [ ] Confirm the incident is real - [ ] Assemble incident team - [ ] Assign roles (Lead, Technical, Comms, Scribe) - [ ] Initial containment actions - [ ] Start the incident log ### Investigation (Hour 1-4) - [ ] Preserve evidence (logs, snapshots) - [ ] Build incident timeline - [ ] Determine blast radius - [ ] Identify root cause ### Communication (Hour 4-8) - [ ] Notify internal team - [ ] Assess customer notification needs - [ ] Draft customer communication - [ ] Consult legal if personal data involved ### Remediation (Hour 8-16) - [ ] Fix root cause - [ ] Implement additional controls - [ ] Validate fixes - [ ] Safely remove containment measures ### Documentation (Hour 16-24) - [ ] Complete incident report - [ ] Schedule post-mortem - [ ] Update runbooks and procedures - [ ] Assign follow-up action items ## Prevention Is Cheaper Than Response The best incident is the one that never happens. Here's what to do before you're in crisis mode: 1. **Implement security event logging** — You can't investigate what you didn't record 2. **Set up alerting** — Detect anomalies before customers report them 3. **Enable MFA everywhere** — Most account takeovers become impossible 4. **Practice incident response** — Run a tabletop exercise quarterly 5. **Have a communication plan ready** — Draft templates before you need them --- Nobody wants to deal with a security incident at 2 AM. But with the right preparation and a clear playbook, you can contain damage, communicate effectively, and come out stronger. Need help with security event logging and anomaly detection? [LiteSOC](https://www.litesoc.io) gives you the visibility to detect incidents fast and the data to investigate them thoroughly. --- ## Why Your SIEM Is Overkill (And What to Use Instead) - **URL:** https://blog.litesoc.io/why-your-siem-is-overkill-and-what-to-use-instead - **Published:** 2026-03-01 - **Author:** Amirol Ahmad > Traditional SIEMs are built for enterprises with dedicated security teams. Here's why startups need a different approach to security monitoring. Let's talk about the elephant in the security room: that SIEM you're paying $50,000/year for that nobody actually uses. Or maybe you're not there yet. Maybe you're a startup founder Googling "security monitoring for startups" and getting bombarded with enterprise solutions that cost more than your entire engineering team. Here's the truth: **traditional SIEMs are designed for problems you don't have.** ## What a SIEM Actually Does Security Information and Event Management (SIEM) systems were built in the early 2000s to solve a specific problem: enterprises had dozens of security tools generating millions of logs, and they needed a way to correlate everything. A typical SIEM: - Ingests logs from firewalls, endpoints, servers, applications, cloud services - Normalizes data into a common format - Correlates events across sources - Triggers alerts based on rules - Provides compliance reporting Sounds great, right? Here's the problem. ## Why SIEMs Fail Startups ### 1. You Don't Have "Dozens of Security Tools" Enterprise SIEMs shine when you're correlating data from 50+ sources. But most startups have: - A cloud provider (AWS, GCP, or Azure) - An identity provider (Google Workspace, Okta) - A database (Postgres, MongoDB) - Their own application That's it. Four sources. You don't need a system designed to normalize data from Cisco firewalls, CrowdStrike endpoints, and on-prem Active Directory. ### 2. Alert Fatigue Is Built In SIEMs are famous for generating thousands of alerts per day. Enterprises handle this with Security Operations Centers—teams of analysts who triage alerts 24/7. You don't have a SOC. You have a Slack channel that everyone ignores because it's full of noise. The result? **Real threats get buried.** When everything is an alert, nothing is an alert. ### 3. Time-to-Value Is Measured in Months Setting up a traditional SIEM requires: - Deploying agents on every system - Writing custom parsers for your logs - Tuning hundreds of correlation rules - Building dashboards from scratch - Training your team to use it Most startups abandon their SIEM before it's fully configured. The ROI never materializes. ### 4. Pricing Punishes Growth SIEM pricing models are typically based on: - Data ingestion (GB/day) - Events per second (EPS) - Number of data sources As your startup grows, your security bill explodes. We've seen companies go from $2,000/month to $20,000/month in a single year—not because threats increased, but because their product got popular. ## What Startups Actually Need Let's flip the script. What does security monitoring look like when you design it for startups? ### 1. Application-First Monitoring Your biggest security risks aren't in your firewall logs. They're in your application: - Who's logging in? - Who's accessing sensitive data? - Who's making admin changes? You need visibility into your application security events, not generic infrastructure logs. ### 2. Intelligent Alerting, Not Rule Explosions Instead of writing 500 correlation rules, you need: - **Behavioral baselines**: What does normal look like for each user? - **Anomaly detection**: Alert when behavior deviates significantly - **Severity auto-assignment**: Critical events get attention, info events get logged One well-tuned alert is worth more than a thousand noisy ones. ### 3. Setup in Minutes, Not Months Modern security tools should work like modern developer tools: - `npm install` - Add your API key - Start tracking events If setup takes more than an hour, something is wrong. ### 4. Pricing That Scales With You Startup-friendly pricing means: - Generous free tier for early-stage companies - Predictable costs as you grow - No "call us for enterprise pricing" games ## The Alternative: Lightweight Security Observability This is why we built LiteSOC. It's not a SIEM. It's security observability designed for SaaS applications. Here's the difference: | Traditional SIEM | LiteSOC | |-----------------|---------| | Ingest everything, figure it out later | Track meaningful security events | | Hundreds of correlation rules | Behavioral AI detects anomalies | | Deploy agents everywhere | Single SDK integration | | Months to configure | Minutes to set up | | Pricing based on data volume | Pricing based on events tracked | | Requires dedicated analyst | Built for engineering teams | ## What You Actually Get ### Real-Time Event Tracking Track the 26 security events that actually matter: ```typescript import { LiteSOC } from '@litesoc/sdk'; const litesoc = new LiteSOC({ apiKey: process.env.LITESOC_API_KEY, }); // This is all it takes await litesoc.track({ event: 'auth.login_success', actor: { id: user.id, email: user.email }, ip: request.ip, }); ``` ### Behavioral Anomaly Detection LiteSOC learns what's normal for each user: - Typical login times and locations - Usual access patterns - Expected data operations When something deviates—like a user suddenly logging in from a new country and exporting all customer data—you get an alert. ### Threat Intelligence Built In Every event is enriched with: - VPN/Tor/proxy detection - Datacenter IP identification - Geolocation data - Threat scoring You don't need to integrate a separate threat intel feed. ### Instant Notifications Alerts go where your team already works: - Slack - Discord - Email - Webhooks for custom integrations No separate dashboard to check. No alert fatigue. ## When You Actually Need a SIEM Let's be fair: SIEMs aren't useless. You might need one if: - **You have compliance requirements mandating log retention** from all systems (not just application events) - **You have a dedicated security team** who can manage and tune it - **You need to correlate events** across on-prem infrastructure, multiple cloud providers, and legacy systems - **You're a large enterprise** with 1000+ employees But if you're a startup with < 100 employees, shipping fast and trying to stay secure? You don't need a SIEM. You need security observability that works with how you already build software. ## Making the Switch If you're currently drowning in SIEM alerts (or avoiding looking at them entirely), here's how to transition: ### Step 1: Identify Your Critical Events What are the 5-10 security events that would actually indicate a problem? - Failed logins - Privilege escalation - Data exports - Admin changes ### Step 2: Implement Application-Level Tracking Add security event tracking to your application code. This gives you context that infrastructure logs never will. ### Step 3: Set Up Meaningful Alerts Configure alerts for the events that matter, with appropriate thresholds. One alert per day is better than 100. ### Step 4: Evaluate Your Infrastructure Logging Needs Do you actually need to keep firewall logs? Or is that just compliance theater? Be honest about what provides value. ## The Bottom Line Security monitoring shouldn't require a six-figure budget and a dedicated team to maintain. The goal isn't to collect the most data—it's to detect and respond to threats quickly. Traditional SIEMs were built for a different era, when enterprises had on-prem data centers and armies of security analysts. Modern SaaS companies need modern tools. Stop paying for complexity you don't need. Start monitoring the events that actually matter. --- Ready to ditch the SIEM? [Try LiteSOC free](https://www.litesoc.io) — setup takes 10 minutes, not 10 months. --- ## 26 Security Events Every SaaS Should Track - **URL:** https://blog.litesoc.io/26-security-events-every-saas-should-track - **Published:** 2026-03-01 - **Author:** Amirol Ahmad > A complete guide to the security events your SaaS application needs to monitor for threat detection, compliance, and incident response. You're logging errors. You're tracking user signups. But are you logging the events that actually matter for security? Most SaaS applications have massive blind spots in their security logging. When an incident happens—and it will—you need to answer questions like: - Who accessed what, and when? - What changed before the breach? - How did the attacker get in? Without proper security event logging, you're flying blind. Here are the 26 security events every SaaS should be tracking, organized by category. ## Authentication Events These are your first line of defense. Authentication events tell you who's trying to get in, and whether they succeeded. ### 1. `auth.login_success` Every successful login. This is your baseline for normal behavior. **What to capture:** - User ID and email - IP address - User agent - Timestamp - Authentication method (password, SSO, magic link) ### 2. `auth.login_failed` Failed login attempts are critical for detecting brute force attacks. **What to capture:** - Attempted username/email - IP address - Failure reason (invalid password, user not found, account locked) - Attempt count **Alert threshold:** 5+ failures from the same IP or for the same account within 10 minutes. ### 3. `auth.logout` Track when sessions end intentionally. ### 4. `auth.password_reset` Password resets can be legitimate—or a sign of account takeover. **What to capture:** - Who initiated (user or admin) - IP address - Whether MFA was required ### 5. `auth.mfa_enabled` Celebrate this one. A user securing their account is always good news. ### 6. `auth.mfa_disabled` This is a warning sign. MFA disabled could mean: - Account takeover in progress - Social engineering succeeded - Legitimate user preference (but still worth monitoring) **Recommended action:** Send notification to user's backup email. ### 7. `auth.session_expired` Normal behavior, but useful for understanding session patterns. ### 8. `auth.token_refreshed` Token refresh patterns can reveal session hijacking attempts. ## Authorization Events Authentication tells you who someone is. Authorization tells you what they're trying to do. ### 9. `authz.access_denied` Someone tried to access something they shouldn't. Could be a misconfigured role, or could be reconnaissance. **What to capture:** - User ID - Requested resource - Required permission - User's current permissions **Alert threshold:** 10+ denials from the same user in 1 hour. ### 10. `authz.permission_granted` A new permission was assigned to a user or role. ### 11. `authz.permission_revoked` A permission was removed. Important for compliance auditing. ### 12. `authz.role_changed` Role changes can be legitimate or signs of privilege escalation. **What to capture:** - Who made the change - Target user - Previous role → New role ## Admin Events Admin actions are high-impact. Every single one should be logged. ### 13. `admin.user_created` New accounts being created, especially outside normal signup flow. ### 14. `admin.user_deleted` Account deletion. Critical for compliance and incident investigation. ### 15. `admin.user_suspended` Account suspension. Track who suspended and why. ### 16. `admin.privilege_escalation` **This is critical.** Any elevation of privileges should trigger immediate review. Examples: - User promoted to admin - New permissions added to existing admin - Service account created with elevated access **Recommended action:** Immediate Slack/email notification to security team. ### 17. `admin.settings_changed` Global application settings modified. Changes here affect everyone. **What to capture:** - Setting name - Previous value → New value - Who made the change ### 18. `admin.api_key_created` New API key generated. API keys are often more powerful than user accounts. **What to capture:** - Key name/identifier (never the key itself) - Assigned permissions - Who created it ### 19. `admin.api_key_revoked` API key deactivated. Track whether this was manual or automatic (expiration, security event). ## Data Events Data is what attackers are after. Monitor how it's accessed. ### 20. `data.sensitive_access` Access to PII, financial data, or other sensitive information. **Examples:** - Viewing another user's profile (admin action) - Exporting customer list - Accessing payment information ### 21. `data.export` Any bulk data export. This is a top indicator of data exfiltration. **What to capture:** - Export type (CSV, JSON, PDF) - Number of records - Data types included - Destination (download, email, integration) **Alert threshold:** Any export over 1,000 records, or any export to external email. ### 22. `data.bulk_delete` Mass deletion is either cleanup or destruction. **What to capture:** - Number of records - Data type - Who initiated - Whether recoverable (soft delete vs hard delete) **Recommended action:** Require confirmation for deletes over 100 records. ## Security Events These are explicit security incidents or near-misses. ### 23. `security.brute_force_detected` Your system detected a brute force pattern. This should trigger automated responses. **Automated responses:** - Temporary IP block - Account lockout - CAPTCHA requirement - Alert to security team ### 24. `security.suspicious_activity` Catch-all for anomalies that don't fit other categories. **Examples:** - Login from new country - Unusual access pattern - Multiple failed payments - Rapid API requests ### 25. `security.rate_limit_exceeded` Someone is hitting your API hard. Could be a bug, could be an attack. **What to capture:** - Endpoint hit - Request count - Time window - IP address and user (if authenticated) ### 26. `security.ip_blocked` An IP was blocked, either automatically or manually. **What to capture:** - IP address - Block reason - Duration - Who/what initiated the block ## Implementing These Events Here's how to implement comprehensive security event tracking with LiteSOC: ```typescript import { LiteSOC, SecurityEvents } from '@litesoc/sdk'; const litesoc = new LiteSOC({ apiKey: process.env.LITESOC_API_KEY, }); // Track a failed login await litesoc.track({ event: SecurityEvents.AUTH_LOGIN_FAILED, actor: { id: attemptedUserId, email: attemptedEmail, }, ip: request.ip, metadata: { reason: 'invalid_password', attempt_count: failedAttempts, }, }); // Track privilege escalation (critical) await litesoc.track({ event: SecurityEvents.ADMIN_PRIVILEGE_ESCALATION, actor: { id: adminUser.id, email: adminUser.email, }, ip: request.ip, metadata: { target_user_id: targetUser.id, previous_role: 'user', new_role: 'admin', reason: 'Promoted to admin by CEO', }, }); ``` ## What Happens After You Track? Logging is step one. What you do with the logs matters more: 1. **Real-time alerting**: Critical events (brute force, privilege escalation, bulk exports) should trigger immediate notifications. 2. **Behavioral analysis**: LiteSOC's AI analyzes patterns to detect anomalies—like a user suddenly logging in from a new country or accessing resources they've never touched before. 3. **Compliance reporting**: When auditors ask "show me all admin actions in the last 90 days," you can answer in seconds. 4. **Incident investigation**: When something goes wrong, you have a complete timeline of what happened. ## Start Today You don't need to implement all 26 events on day one. Start with the critical ones: **Week 1:** - `auth.login_success` - `auth.login_failed` - `auth.mfa_disabled` **Week 2:** - `admin.privilege_escalation` - `admin.user_created` - `admin.user_deleted` **Week 3:** - `data.export` - `data.bulk_delete` - `security.brute_force_detected` **Week 4:** - Everything else In 30 days, you'll have comprehensive security visibility. That's the difference between "we got hacked" and "we detected and stopped an attack." --- Ready to implement security event tracking? [Get started with LiteSOC](https://www.litesoc.io) — it takes less than 10 minutes. --- ## From Zero to SOC 2 Ready: A 90-Day Security Roadmap for Startups - **URL:** https://blog.litesoc.io/from-zero-to-soc-2-ready-a-90-day-security-roadmap-for-startups - **Published:** 2026-02-25 - **Author:** Amirol Ahmad > You don't need a security team to build a secure product. Here's a week-by-week roadmap to get your startup SOC 2 ready in 90 days. # From Zero to SOC 2 Ready: A 90-Day Security Roadmap for Startups You're a team of five. You have no security engineer. Your "security policy" is a Notion page that says "don't commit secrets to git." Sound familiar? Here's the good news: you don't need a dedicated security team to build a secure product. You need a plan. This is the 90-day roadmap we wish we had when we started. Follow it week by week, and you'll go from "we should probably do something about security" to "here's our SOC 2 evidence package." ## The 90-Day Overview | Phase | Weeks | Focus | |-------|-------|-------| | **Foundation** | 1-4 | Authentication, access control, basic policies | | **Visibility** | 5-8 | Logging, monitoring, alerting | | **Process** | 9-12 | Documentation, vendor management, incident response | Let's break it down. --- ## Phase 1: Foundation (Weeks 1-4) Before you can monitor threats, you need to close the obvious gaps. ### Week 1: Authentication Hardening **Goal:** Make it hard to break into accounts. - Enforce MFA for all team members - Implement MFA for production database access - Enable SSO if you're using Google Workspace or Okta - Audit and remove any shared credentials - Set password requirements (12+ characters, no reuse) **Time required:** 2-4 hours **Tools:** Your identity provider (Google, Okta, Auth0) ### Week 2: Access Control **Goal:** Limit who can do what. - Implement role-based access control (RBAC) in your app - Create an admin role separate from regular users - Restrict production database access to essential personnel - Remove access for any former employees/contractors - Document who has access to what (a spreadsheet is fine) **Time required:** 4-8 hours **Tools:** Your app's code, cloud provider IAM ### Week 3: Infrastructure Security **Goal:** Lock down your infrastructure. - Enable encryption at rest for your database - Ensure all traffic is HTTPS (no exceptions) - Review and tighten security group / firewall rules - Enable audit logging on your cloud provider - Set up a secrets manager (no more `.env` files in Slack) **Time required:** 4-6 hours **Tools:** AWS KMS/Secrets Manager, Vercel environment variables, Supabase ### Week 4: Security Policies **Goal:** Write down what you're doing. - Create an Information Security Policy (1-2 pages) - Create an Acceptable Use Policy - Create an Access Control Policy - Store policies somewhere accessible (Notion, Confluence) - Have the team acknowledge they've read them **Time required:** 4-6 hours --- ## Phase 2: Visibility (Weeks 5-8) You can't protect what you can't see. ### Week 5: Security Event Logging **Goal:** Know what's happening in your app. - Integrate LiteSOC (or your logging solution) - Track authentication events (login, logout, failed attempts) - Track authorization changes (role updates, invitations) - Track sensitive actions (data exports, API key creation) - Verify events are flowing to your dashboard **Time required:** 4-8 hours ### Week 6: Alerting **Goal:** Get notified when something's wrong. - Configure alerts for failed login spikes - Configure alerts for impossible travel - Configure alerts for admin role changes - Set up a Slack channel for security alerts - Test that alerts actually fire **Time required:** 2-4 hours **Tools:** LiteSOC alerts, PagerDuty, Slack webhooks ### Week 7: Application Monitoring **Goal:** Catch errors before users report them. - Set up error tracking (Sentry, Bugsnag) - Configure uptime monitoring - Set up performance monitoring (Core Web Vitals) - Create a status page for customers **Time required:** 2-4 hours **Tools:** Sentry, Better Uptime, Vercel Analytics ### Week 8: Log Retention & Backup **Goal:** Keep evidence for auditors and incident response. - Verify security logs are retained for 90+ days - Set up automated database backups - Test that you can restore from backup - Document your backup and recovery process **Time required:** 2-4 hours --- ## Phase 3: Process (Weeks 9-12) Security isn't just tools—it's how you operate. ### Week 9: Vendor Management **Goal:** Know your third-party risk. - List all third-party services you use - Identify which vendors have access to customer data - Check if critical vendors have SOC 2 reports - Ensure you have DPAs (Data Processing Agreements) in place - Create a vendor inventory spreadsheet **Time required:** 4-6 hours **Minimum vendor list:** Hosting (Vercel/AWS), Database (Supabase), Auth (Auth0), Payments (Stripe), Email (Resend) ### Week 10: Incident Response **Goal:** Know what to do when things go wrong. - Write an Incident Response Plan (2-3 pages) - Define severity levels (P1, P2, P3) - Assign incident response roles - Create a security contact email (security@yourcompany.com) - Do a tabletop exercise with the team **Time required:** 4-6 hours **Your plan should answer:** 1. How do we detect an incident? 2. Who gets notified? 3. How do we contain it? 4. How do we communicate with customers? 5. How do we do a post-mortem? ### Week 11: Secure Development **Goal:** Build security into your workflow. - Require code reviews for all changes - Enable branch protection on main - Set up dependency vulnerability scanning (Dependabot, Snyk) - Add security linting to CI (ESLint security rules) - Document your SDLC (Software Development Lifecycle) **Time required:** 2-4 hours **Tools:** GitHub branch protection, Dependabot, Snyk ### Week 12: Risk Assessment & Audit Prep **Goal:** Identify gaps and prepare for audit. - Conduct a risk assessment (list threats, likelihood, impact) - Prioritize and document mitigation plans - Gather evidence for each control (screenshots, exports) - Organize evidence in folders by control area - Schedule a readiness assessment with your auditor **Time required:** 6-8 hours --- ## What You'll Have After 90 Days | Area | Before | After | |------|--------|-------| | **Authentication** | Passwords only | MFA enforced, SSO enabled | | **Access Control** | Everyone is admin | RBAC with documented access | | **Logging** | Console.log | Centralized security events | | **Alerting** | "We'd probably notice" | Real-time alerts to Slack | | **Policies** | Nothing written | 5+ security policies | | **Incident Response** | Panic | Documented playbook | | **Vendor Management** | "We use a lot of stuff" | Inventory with risk ratings | --- ## The Realistic Time Investment | Phase | Hours | Who | |-------|-------|-----| | Foundation (Weeks 1-4) | 15-25 | Engineering lead | | Visibility (Weeks 5-8) | 10-20 | Engineering lead | | Process (Weeks 9-12) | 15-25 | Founder + Engineering | | **Total** | **40-70 hours** | Spread over 12 weeks | That's roughly **4-6 hours per week**. Totally doable alongside shipping features. --- ## Common Mistakes to Avoid ### 1. Trying to boil the ocean You don't need to implement every security control on day one. Focus on the basics first. ### 2. Buying tools before understanding needs A $50k SIEM won't help if you're not logging the right events. Start simple. ### 3. Writing policies no one follows Policies should reflect what you actually do, not an aspirational fantasy. ### 4. Ignoring the human element Most breaches start with phishing or credential theft. Train your team. ### 5. Waiting until an enterprise deal forces you Starting earlier is always cheaper than scrambling later. --- ## Next Steps 1. **Block time on your calendar** — 4 hours per week for the next 12 weeks 2. **Pick a compliance platform** — Vanta, Drata, or Secureframe will guide you 3. **Set up security logging** — LiteSOC gets you visibility in an afternoon 4. **Engage an auditor early** — Get feedback before you think you're ready You don't need to be perfect. You need to be better than you were yesterday. **[Start your security journey with LiteSOC →](https://www.litesoc.io)** --- *Going through this process and have questions? We've done it ourselves and helped dozens of startups do the same. Reach out at hello@litesoc.io — we're happy to help.* --- ## The 26 Security Events Every SaaS Should Track - **URL:** https://blog.litesoc.io/the-26-security-events-every-saas-should-track - **Published:** 2026-02-25 - **Author:** Amirol Ahmad > Not sure what to log? Here's the definitive list of security events that matter—organized by category with implementation examples. # The 26 Security Events Every SaaS Should Track "What should we be logging?" It's a question every engineering team asks eventually—usually right before an incident, or right after. The answer isn't "everything." That creates noise. The answer is: log the events that matter for security, compliance, and incident response. Here are the 26 security events we recommend tracking, organized by category. This is the same taxonomy LiteSOC uses internally, and it's based on patterns from hundreds of SaaS applications. ## Authentication Events These events track how users prove their identity. | Event Type | When to Track | |------------|---------------| | `user.login.success` | User successfully authenticates | | `user.login.failed` | Authentication attempt rejected | | `user.logout` | User ends their session | | `user.mfa.enabled` | User enables two-factor authentication | | `user.mfa.disabled` | User disables two-factor authentication | | `user.mfa.challenge.success` | User passes MFA challenge | | `user.mfa.challenge.failed` | User fails MFA challenge | **Why it matters:** 81% of breaches involve compromised credentials (Verizon DBIR). These events are your first line of defense. ## Account Lifecycle Events These events track changes to user accounts. | Event Type | When to Track | |------------|---------------| | `user.created` | New user account created | | `user.deleted` | User account removed | | `user.email.changed` | User changes their email address | | `user.password.changed` | User changes their password | | `user.password.reset_requested` | Password reset flow initiated | | `user.password.reset_completed` | Password successfully reset | **Why it matters:** Account takeover often starts with a password reset or email change. These events help you detect and investigate compromises. ## Authorization Events These events track permission and access changes. | Event Type | When to Track | |------------|---------------| | `user.role.updated` | User's role or permissions changed | | `user.invited` | User invited to organization | | `user.removed` | User removed from organization | | `team.member.added` | User added to a team | | `team.member.removed` | User removed from a team | **Why it matters:** Privilege escalation is a key step in most attacks. Tracking role changes helps you detect insider threats and compromised admin accounts. ## API & Integration Events These events track programmatic access to your system. | Event Type | When to Track | |------------|---------------| | `api_key.created` | New API key generated | | `api_key.revoked` | API key invalidated | | `api_key.used` | API key used for authentication | | `webhook.created` | Webhook endpoint configured | | `webhook.deleted` | Webhook endpoint removed | | `oauth.authorized` | OAuth app granted access | | `oauth.revoked` | OAuth app access revoked | **Why it matters:** API keys and OAuth tokens are credentials too. Leaked keys are a common attack vector—tracking creation and usage helps you detect abuse. ## Data Access Events These events track access to sensitive information. | Event Type | When to Track | |------------|---------------| | `data.exported` | User exports data from the system | | `data.viewed` | User accesses sensitive records | | `data.deleted` | User deletes records | **Why it matters:** Data exfiltration is often the goal of an attack. These events create an audit trail for what was accessed and by whom. ## System Events These events track infrastructure and configuration changes. | Event Type | When to Track | |------------|---------------| | `settings.updated` | System settings changed | | `billing.plan.changed` | Subscription plan modified | **Why it matters:** Configuration changes can create security vulnerabilities. Billing changes might indicate account compromise. ## Implementation Checklist Use this checklist to audit your current logging: ### Must Have (Critical) - `user.login.success` - `user.login.failed` - `user.password.changed` - `user.password.reset_requested` - `user.role.updated` - `api_key.created` - `api_key.revoked` ### Should Have (Important) - `user.created` - `user.deleted` - `user.mfa.enabled` - `user.mfa.disabled` - `data.exported` - `oauth.authorized` - `oauth.revoked` ### Nice to Have (Comprehensive) - `user.logout` - `user.invited` - `api_key.used` - `data.viewed` (for sensitive records) - `settings.updated` ## What Makes a Good Security Event Every event should include: | Field | Description | Example | |-------|-------------|---------| | `event_type` | Standardized event name | `user.login.success` | | `timestamp` | When it happened (UTC) | `2024-01-15T09:32:17Z` | | `actor.id` | Who did it | `usr_abc123` | | `actor.email` | Actor's email | `alice@acme.com` | | `target` | What was affected (if applicable) | `{ type: "user", id: "usr_xyz" }` | | `metadata.ip_address` | Where it came from | `203.0.113.42` | | `metadata` | Additional context | `{ method: "sso", provider: "okta" }` | ## Getting Started If you're starting from zero, implement in this order: 1. **Week 1:** Authentication events (login, logout, password changes) 2. **Week 2:** Authorization events (role changes, invitations) 3. **Week 3:** API events (key creation, OAuth grants) 4. **Week 4:** Data access events (exports, sensitive views) Or, use LiteSOC and implement all 26 in an afternoon. Our SDK normalizes events automatically and handles the infrastructure so you can focus on shipping. **[Start tracking security events →](https://www.litesoc.io)** --- *Have questions about which events to prioritize for your specific use case? Email us at hello@litesoc.io—we're happy to help you build your security logging strategy.* --- ## Securing Your Startup: Why We Built LiteSOC - **URL:** https://blog.litesoc.io/securing-your-startup-why-we-built-litesoc - **Published:** 2026-02-25 - **Author:** Amirol Ahmad > Every startup founder faces the same dilemma: you know security matters, but the tools built for enterprises feel like bringing a firehose to water a houseplant. ## The Gap in the Market Traditional security platforms like Splunk, Datadog Security, and Sumo Logic are powerful. They're also designed for companies with dedicated security teams, six-figure budgets, and months to configure dashboards. For a 5-person startup shipping code every day, these tools create more problems than they solve: - **Pricing that scales against you.** Per-GB ingestion fees punish growth. - **Complexity overhead.** You need a security engineer just to set up the security tool. - **Alert fatigue.** Thousands of raw events with no context or prioritization. Most startups end up with nothing—a few scattered logs in Vercel, maybe some basic Sentry alerts—and hope for the best until their first enterprise customer asks for a SOC 2 report. ## The Solution: Security That Fits Your Stage LiteSOC is the security operations platform built for startups that ship fast but still need to sleep at night. We focused on three principles: 1. **Minimal integration, maximum signal.** Drop in our SDK (Node.js, Python, PHP) and start tracking security events in minutes, not weeks. 2. **Normalized events, not noise.** Our Event Normalizer maps your application activity to 26 standardized security event types—from `user.login.success` to `api.rate_limit.exceeded`. No more parsing raw logs. 3. **Intelligence out of the box.** Features like Impossible Travel detection work automatically. If a user logs in from New York and then Tokyo 30 minutes later, you'll know. ## Built for Compliance from Day One We're not just building a security tool—we're building it *with* SOC 2 standards baked in. Every LiteSOC feature is designed to help you answer the questions auditors ask: - Who accessed what, and when? - How do you detect anomalous behavior? - Where are your audit logs stored? When your first enterprise deal requires a security questionnaire, you'll have answers. ## Get Started LiteSOC is free to start. No credit card, no sales call, no 47-field signup form. Install the SDK, send your first event, and see your security posture in minutes. **[Get started for free at litesoc.io →](https://www.litesoc.io)** --- *Building something and need security that doesn't slow you down? We'd love to hear from you. Reach out on [X @mylitesoc](https://www.x.com/mylitesoc) or drop us a line at hello@litesoc.io.* --- ## Understanding Impossible Travel Detection - **URL:** https://blog.litesoc.io/understanding-impossible-travel-detection - **Published:** 2026-02-25 - **Author:** Amirol Ahmad > Deep dive into how LiteSOC detects impossible travel attacks using the Haversine formula and behavioral analysis. Impossible travel is one of the most reliable indicators of account compromise. When a user appears to log in from two distant locations in an impossibly short timeframe, something is wrong. ## What is Impossible Travel? Impossible travel occurs when authentication events happen from geographic locations that would be physically impossible to travel between in the given time window. For example: - Login from New York at 10:00 AM - Login from London at 10:30 AM - Distance: ~5,500 km - Time needed (by plane): ~7 hours This is a clear indicator of credential theft. ## The Haversine Formula LiteSOC uses the Haversine formula to calculate the great-circle distance between two points on Earth: ```typescript function haversineDistance( lat1: number, lon1: number, lat2: number, lon2: number ): number { const R = 6371; // Earth's radius in km const dLat = toRad(lat2 - lat1); const dLon = toRad(lon2 - lon1); const a = Math.sin(dLat / 2) * Math.sin(dLat / 2) + Math.cos(toRad(lat1)) * Math.cos(toRad(lat2)) * Math.sin(dLon / 2) * Math.sin(dLon / 2); const c = 2 * Math.atan2(Math.sqrt(a), Math.sqrt(1 - a)); return R * c; } ``` ## Threshold Calculation We assume a maximum travel speed of 1,000 km/h (faster than commercial flights) to account for: - Private jets - Multiple connecting flights - Time zone variations If the required speed exceeds this threshold, we flag it as impossible travel. ## False Positive Mitigation Not all impossible travel is malicious. LiteSOC accounts for: - **VPN Usage**: Detected via IP intelligence - **Known Devices**: Same device fingerprint reduces risk - **Business Travel Patterns**: Learned over time ## Conclusion Impossible travel detection is a powerful tool in your security arsenal. LiteSOC makes it automatic — no configuration required. --- ## SOC 2 Compliance for Startups: A Practical Guide - **URL:** https://blog.litesoc.io/soc-2-compliance-for-startups-a-practical-guide - **Published:** 2026-02-25 - **Author:** Amirol Ahmad > Everything you need to know about achieving SOC 2 compliance as a startup, including which controls to prioritize and common pitfalls to avoid. SOC 2 compliance is increasingly becoming a requirement for B2B SaaS companies. But for startups, the path to compliance can seem overwhelming. This guide breaks it down into actionable steps. ## What is SOC 2? SOC 2 (Service Organization Control 2) is a framework developed by the AICPA for managing customer data based on five trust service criteria: 1. **Security** - Protection against unauthorized access 2. **Availability** - System availability for operation 3. **Processing Integrity** - System processing is complete and accurate 4. **Confidentiality** - Information designated as confidential is protected 5. **Privacy** - Personal information is handled appropriately ## Type 1 vs Type 2 - **Type 1**: Point-in-time assessment of your controls - **Type 2**: Assessment of controls over a period (usually 6-12 months) Most startups begin with Type 1, then progress to Type 2. ## Essential Controls for Startups ### 1. Access Control ```typescript // Example: Role-based access control const canUserDo = (user: User, action: string): boolean => { const permissions = ROLE_PERMISSIONS[user.role]; return permissions.includes(action); }; ``` ### 2. Audit Logging Every administrative action must be logged: - Who performed the action - What action was performed - When it occurred - What changed LiteSOC provides 50+ built-in audit events out of the box. ### 3. Data Encryption - **At rest**: AES-256 encryption - **In transit**: TLS 1.3 ### 4. Multi-Factor Authentication MFA should be available for all users and mandatory for administrators. ## Common Pitfalls 1. **Scope creep**: Start with security only, add other criteria later 2. **Manual processes**: Automate everything possible 3. **Documentation gaps**: Document as you build, not after ## How LiteSOC Helps LiteSOC is built SOC 2 ready: - ✅ Comprehensive audit logging - ✅ PII auto-redaction in logs - ✅ Role-based access control - ✅ MFA enforcement - ✅ Data encryption ## Conclusion SOC 2 doesn't have to be scary. Start with the basics, automate where possible, and use tools that are built with compliance in mind. --- ## Building Real-Time Security Monitoring with LiteSOC - **URL:** https://blog.litesoc.io/building-real-time-security-monitoring-with-litesoc - **Published:** 2026-02-25 - **Author:** Amirol Ahmad > Learn how to implement real-time security monitoring in your SaaS application using LiteSOC's event-driven architecture and behavioral AI. Security monitoring shouldn't be an afterthought. In this guide, we'll walk through implementing real-time security monitoring using LiteSOC's powerful event-driven architecture. ## Why Real-Time Monitoring Matters Traditional security solutions rely on periodic scans and batch processing. By the time you discover a breach, the damage is already done. Real-time monitoring changes this paradigm by: - **Instant Detection**: Identify threats as they happen, not hours later - **Immediate Response**: Trigger automated responses within milliseconds - **Reduced Attack Surface**: Stop attackers before they can pivot ## Setting Up LiteSOC First, install the LiteSOC SDK: ```bash npm install @litesoc/sdk ``` Then initialize the client: ```typescript import { LiteSOC } from '@litesoc/sdk'; const litesoc = new LiteSOC({ apiKey: process.env.LITESOC_API_KEY, }); ``` ## Tracking Authentication Events The most critical events to track are authentication-related: ```typescript // Track successful logins await litesoc.track({ event: 'login_success', userId: user.id, metadata: { method: 'password', mfa_used: true, }, }); // Track failed attempts await litesoc.track({ event: 'login_failed', userId: attemptedUserId, metadata: { reason: 'invalid_password', attempt_count: 3, }, }); ``` ## Behavioral AI Detection LiteSOC's behavioral AI automatically learns your users' patterns and detects anomalies: - **Impossible Travel**: User logs in from New York, then Tokyo 10 minutes later - **Unusual Access Times**: 3 AM login for a 9-5 user - **Device Fingerprint Changes**: Same account, new device characteristics ## Conclusion Real-time security monitoring is no longer optional for modern SaaS applications. With LiteSOC, you can implement enterprise-grade security in minutes, not months. Ready to get started? [Sign up for free](https://litesoc.io/signup) and start monitoring in under 5 minutes. ---