Event Monitoring
Monitor security events across your organization in real-time with AI-powered threat detection.
Overview
CastellanAI continuously monitors your endpoints for security events, providing instant visibility into potential threats. Events appear in your dashboard within seconds of occurring on any monitored device.
What Gets Monitored
CastellanAI agents monitor the following security-relevant activity:
Authentication Events
| Event Type | Examples |
|---|---|
| Login Attempts | Successful and failed logins, account lockouts |
| Privilege Changes | Admin rights granted, group membership changes |
| Session Activity | Remote desktop connections, session logoffs |
System Activity
| Event Type | Examples |
|---|---|
| Process Execution | Programs launched, scripts run, command-line activity |
| File Changes | Modifications to sensitive files and folders |
| Network Connections | Outbound connections, unusual traffic patterns |
Security Alerts
| Event Type | Examples |
|---|---|
| Antivirus Detections | Malware found, threats blocked |
| Policy Violations | Unauthorized software, configuration changes |
| Anomalous Behavior | Unusual user activity, potential insider threats |
Viewing Events in the Dashboard
Accessing the Events Page
Click Security Events in the left sidebar navigation to view all recent security events.
Summary Cards
At the top of the page, four summary cards provide an at-a-glance overview:
| Card | Description |
|---|---|
| Total Events | Count of all security events detected |
| Open Events | Events requiring attention (Open or Investigating status) |
| Critical Threats | High-priority security incidents needing immediate response |
| Average Risk | Mean risk score across all displayed events |
Platform Filter
Use the platform dropdown in the top-right corner to filter events by operating system:
- All Platforms - Show events from all agents
- Windows - Show only Windows events
- Linux - Show only Linux events
- macOS - Show only macOS events
Event List
Each event card displays:
- Risk Level Badge - Color-coded severity (Critical, High, Medium, Low)
- Platform Badge - Operating system icon (Windows, Linux, macOS)
- Event Type - Classification of the security event
- Event ID - Windows Event ID (when applicable)
- Correlation Indicator - Shows if event is linked to related events
- Status - Current investigation status (Open, Investigating, Resolved, Closed)
- Message - Description of what occurred
- Machine - Device hostname where event originated
- User - Username involved in the event
- Source - Event log source
- MITRE ATT&CK Techniques - Mapped threat techniques (when applicable)
- Timestamp - When the event occurred
- Confidence - AI confidence score
- IP Addresses - Related network addresses (when applicable)
Event Details Modal
Click any event to open the detail modal with full information including:
- When it happened (timestamp)
- Where it occurred (device name)
- Who was involved (username)
- What happened (event description)
- Risk Level - AI-calculated severity
- Status - Current investigation status
- MITRE ATT&CK mapping (threat technique classification)
- Threat Analysis scores:
- Confidence - AI detection confidence
- Correlation - How related to other events
- Burst - Activity spike indicator
- Anomaly - Deviation from normal behavior
- IP Addresses - All related network addresses
- Notes - Investigation notes (if any)
- Assignment - Who is investigating (if assigned)
Real-Time Updates
The Security Events page automatically refreshes every 30 seconds to show new events. A SignalR connection provides instant notifications when new events arrive—look for the connection status indicator next to the platform filter.
Real-Time Alerts
Configure alerts to be notified immediately when critical events occur:
- Go to Settings in the sidebar
- Set up alert rules based on event severity or type
- Choose notification method (email, Teams, Slack)
See Notifications Setup for detailed instructions.
Data Retention
Your event history is retained based on your subscription tier:
| Subscription | Event Retention |
|---|---|
| Small Business | 24 hours |
| Medium Business | 7 days |
| Enterprise | 30 days |
Need longer retention? Export events regularly or upgrade your subscription tier.
AI-Powered Analysis
CastellanAI automatically analyzes every event to:
- Calculate risk scores - Prioritize the most critical threats
- Identify patterns - Detect attack sequences across multiple events (correlation)
- Map to MITRE ATT&CK - Classify threats using industry-standard framework
- Detect anomalies - Flag unusual activity that deviates from baselines
- Identify burst activity - Detect rapid event sequences indicating active attacks
- Reduce noise - Filter out routine activity so you can focus on real threats
Best Practices
- Check the dashboard daily - Review high-severity events at minimum
- Configure alerts - Don't rely solely on manual dashboard checks
- Investigate promptly - Critical and high-severity events warrant immediate attention
- Use platform filters - Focus on specific operating systems when investigating
- Review correlated events - Events marked as "Correlated" may be part of larger attack chains
- Export for compliance - Regularly export events if you need longer retention for audits
What's Next?
- Threat Detection - Learn how threats are identified
- MITRE ATT&CK - Understand threat classification
- Alerts & Severity - Configure alert thresholds