Event Monitoring
Monitor security events across your organization in real-time with AI-powered threat detection.
Events appear in your dashboard within seconds of occurring on any monitored device via SignalR streaming.
Overview
CastellanAI continuously monitors your endpoints for security events, providing instant visibility into potential threats.
What Gets Monitored
- 🔐 Authentication
- ⚙️ System Activity
- 🚨 Security Alerts
Authentication Events
| Event Type | Examples |
|---|---|
| Login Attempts | Successful and failed logins, account lockouts |
| Privilege Changes | Admin rights granted, group membership changes |
| Session Activity | Remote desktop connections, session logoffs |
Multiple failed login attempts may indicate a brute force attack. These are automatically flagged as high priority.
System Activity
| Event Type | Examples |
|---|---|
| Process Execution | Programs launched, scripts run, command-line activity |
| File Changes | Modifications to sensitive files and folders |
| Network Connections | Outbound connections, unusual traffic patterns |
Security Alerts
| Event Type | Examples |
|---|---|
| Antivirus Detections | Malware found, threats blocked |
| Policy Violations | Unauthorized software, configuration changes |
| Anomalous Behavior | Unusual user activity, potential insider threats |
Antivirus detections and anomalous behavior trigger immediate notifications when configured.
Viewing Events in the Dashboard
Summary Cards
At the top of the Security Events page, four summary cards provide an at-a-glance overview:
| Card | Description |
|---|---|
| Total Events | Count of all security events detected |
| Open Events | Events requiring attention (Open or Investigating status) |
| Critical Threats | High-priority security incidents needing immediate response |
| Average Risk | Mean risk score across all displayed events |
Platform Filter
Filter events by operating system using the platform dropdown:
| Filter | Shows |
|---|---|
| All Platforms | Events from all agents |
| Windows | Windows events only |
| Linux | Linux events only |
| macOS | macOS events only |
Event Details
- 📋 Overview
- 🔍 Detail Modal
- 📊 Threat Scores
Event List Information
Each event card displays:
| Field | Description |
|---|---|
| Risk Level Badge | Color-coded severity (Critical, High, Medium, Low) |
| Platform Badge | Operating system icon |
| Event Type | Classification of the security event |
| Event ID | Windows Event ID (when applicable) |
| Status | Current investigation status |
| Message | Description of what occurred |
| Machine | Device hostname |
| User | Username involved |
| Timestamp | When the event occurred |
Full Event Details
Click any event to see complete information:
| Section | Content |
|---|---|
| When | Timestamp of occurrence |
| Where | Device name and IP address |
| Who | Username and account details |
| What | Full event description |
| Risk Level | AI-calculated severity |
| MITRE ATT&CK | Mapped threat techniques |
| Threat Scores | Confidence, Correlation, Burst, Anomaly |
| IP Addresses | Related network addresses with enrichment |
AI Threat Analysis Scores
| Score | Description |
|---|---|
| Confidence | AI detection confidence (0-100%) |
| Correlation | How related to other events |
| Burst | Activity spike indicator |
| Anomaly | Deviation from normal behavior |
High correlation and burst scores together often indicate an active attack in progress.
Real-Time Updates
The Security Events page automatically refreshes every 30 seconds.
Look for the connection status indicator next to the platform filter. Green means you're receiving live updates.
Data Retention
Your event history is retained based on your subscription tier:
| Subscription | Event Retention |
|---|---|
| Small Business | 24 hours |
| Medium Business | 7 days |
| Enterprise | 30 days |
💡 Need Longer Retention?
- Export events regularly - Download CSV/JSON exports for compliance
- Upgrade your subscription - Higher tiers include longer retention
- Use external SIEM - Forward events to your SIEM for extended storage
AI-Powered Analysis
CastellanAI automatically analyzes every event:
| Capability | Description |
|---|---|
| Calculate risk scores | Prioritize the most critical threats |
| Identify patterns | Detect attack sequences across multiple events |
| Map to MITRE ATT&CK | Classify threats using industry-standard framework |
| Detect anomalies | Flag unusual activity that deviates from baselines |
| Identify burst activity | Detect rapid event sequences indicating active attacks |
| Reduce noise | Filter out routine activity so you can focus on real threats |
Best Practices
✅ Daily Monitoring Checklist
- Check the dashboard for new high-severity events
- Review critical threats requiring immediate attention
- Verify all agents are connected and healthy
- Check for correlated events indicating attack chains
- Update event statuses as you investigate
🔔 Alert Configuration Tips
- Configure alerts for critical and high-severity events
- Don't rely solely on manual dashboard checks
- Set up multiple notification channels (email, Slack, Teams)
- Review and tune alert thresholds regularly
What's Next?
| Guide | Description |
|---|---|
| Threat Detection | Learn how threats are identified |
| MITRE ATT&CK | Understand threat classification |
| Alerts & Severity | Configure alert thresholds |