Documentation
Event Types Reference
Complete reference for all 67 standard event types, 28 agent types, and 10 auto-detected patterns. Use these as the event field in your POST /v1/events API calls.
Why use predefined event types?
Every predefined event type triggers specialized detection rules that custom events don't get. For example, auth.login.failure automatically activates brute force counting, credential spray detection, and distributed botnet tracking. A custom event like custom.login.fail only gets generic enrichment (GeoIP, OSINT feeds, request scanning).
21 detector functions • 46 alert types • 5 kill chain patterns • 10 detector families for FLASH-tier classification
Event Type Format
All event types must conform to the following validation rules before being accepted by the ingestor.
^[a-z][a-z0-9]{0,29}(\.[a-z][a-z0-9_]{0,29}){1,3}$Rules
- ✓2–4 dot-separated segments
- ✓Lowercase alphanumeric + underscore only
- ✓Each segment starts with a letter, max 30 characters
- ✓Total length max 100 characters
Valid examples
auth.login.successpayment.completedserver.ssh.login.failurecustom.form.submittedInvalid examples
Login Faileduppercase, spacesauthonly 1 segmentAUTH.LOGINuppercasea.b.c.d.e5 segmentsStandard Prefixes
SOCWarden recognizes 7 standard prefixes. Events with these prefixes automatically activate the corresponding detection pipelines.
| Prefix | Description |
|---|---|
| auth.* | Authentication events |
| account.* | Account management |
| data.* | Data operations |
| admin.* | Admin operations |
| api.* | API/request events |
| server.* | Server-level (agent) |
| custom.* | Explicitly custom |
Event Types by Category
All recognized event types grouped by category. Click a category to expand or collapse its table.
Custom Events (custom.*)
Any event type starting with custom. is accepted. These get full enrichment (GeoIP, threat feeds, risk scoring) but no event-type-specific base score. Use custom threat models (Pro+) to define detection rules for custom events.
custom.form.submittedcustom.order.placedcustom.webhook.receivedAuto-Detected Patterns (Inferred Types)
When users send generic events (like api.request), the enricher auto-tags them if patterns match. These inferred types are added as tags and activate additional detection pipelines.
| Inferred Type | Trigger Condition | Detection Activated |
|---|---|---|
| inferred:auth.failure | HTTP 401/403 + auth-related path | Brute force counting |
| inferred:auth.success | HTTP 200 + auth path + actor_id present | Impossible travel, geo-anomaly |
| inferred:auth.logout | Path contains /logout or /signout | Session tracking |
| inferred:data.export | Path contains /export or /download + rows/size in metadata | Bulk export detection |
| inferred:account.create | Path contains register/signup + email present | Disposable email check |
| inferred:account.delete | HTTP DELETE + /users or /accounts path | Account lifecycle |
| inferred:role.change | Metadata contains role/permission/privilege keys | Session anomaly |
| inferred:mfa.event | Metadata contains mfa/2fa/totp/otp | — |
| inferred:password.event | Path contains password/reset + email | HIBP check |
| inferred:rate.limited | HTTP status 429 | — |
Risk Scoring Summary
The following event types carry a non-zero base risk score. The composite risk score is additive: base score + threat intel + network flags + behavioral detections = final score (0–100).
| Event Type | Base Score | Category |
|---|---|---|
| server.container.escape_attempt | +60 | Server |
| server.log.tampered | +50 | Server |
| server.log.cleared | +45 | Server |
| auth.mfa.bypass_attempted | +40 | Auth |
| server.process.suspicious | +35 | Server |
| server.network.port_scan_detected | +35 | Server |
| auth.mfa.disabled | +30 | Auth |
| admin.user.impersonated | +25 | Admin |
| account.role.changed | +20 | Account |
| account.deleted | +15 | Account |
| account.email.changed | +15 | Account |
| data.exported | +15 | Data |
| server.file.modified | +15 | Server |
| server.firewall.rule_removed | +15 | Server |
| server.user.su | +15 | Server |
| account.phone.changed | +12 | Account |
| api.unauthorized | +12 | API |
| server.file.deleted | +12 | Server |
| server.file.permission_changed | +12 | Server |
| server.cron.added | +12 | Server |
| auth.login.failure | +10 | Auth |
| auth.password.changed | +10 | Auth |
| auth.oauth.connected | +10 | Auth |
| account.suspended | +10 | Account |
| data.bulk_import | +10 | Data |
| data.downloaded | +10 | Data |
| admin.config.changed | +10 | Admin |
| server.user.created | +10 | Server |
| server.user.deleted | +10 | Server |
| server.user.sudo | +10 | Server |
| server.cron.modified | +10 | Server |
| auth.password.reset_requested | +8 | Auth |
| auth.oauth.disconnected | +8 | Auth |
| data.modified | +8 | Data |
| admin.settings.updated | +8 | Admin |
| admin.api_key.revoked | +8 | Admin |
| server.ssh.login.failure | +8 | Server |
| server.firewall.rule_added | +8 | Server |
| auth.session.revoked | +5 | Auth |
| auth.token.revoked | +5 | Auth |
| data.accessed | +5 | Data |
| admin.billing.updated | +5 | Admin |
| admin.api_key.created | +5 | Admin |
| api.rate_limited | +5 | API |
| api.request.failed | +3 | API |
| server.process.executed | +3 | Server |
| server.container.started | +3 | Server |
Risk score is additive.Base score + threat intel + network flags + behavioral detections = composite score (0–100). An event with base score 0 can still reach high risk if it triggers threat intel matches (e.g., Tor exit node, Spamhaus-listed IP) or behavioral detections (e.g., impossible travel).