Events#

Events are the raw, low-level security records flowing in from your data sources, available at /events.

What it does#

Events are the underlying signal that AgentSOC normalizes and scores to produce alerts. Where an alert is a curated, enriched detection, an event is closer to the source — the individual log lines and records your integrations forward before any scoring or correlation is applied.

The Events view lets you search and filter this raw stream, including by data source and over time, so you can confirm exactly what was observed rather than only the platform's interpretation of it.

Events vs. alerts#

Most triage happens on Alerts, because alerts are normalized, scored, and prioritized for you. Reach for Events when you need the ground truth:

• Confirming context. Verify what actually happened around an alert by inspecting the raw records.
• Hunting. Search for activity that did not (yet) generate an alert.
• Validating ingestion. Check that a newly connected source is forwarding data as expected.
• Investigating gaps. Look for low-level signals that fell below alerting thresholds.

If you are deciding what to act on, start with alerts. If you are answering "what really occurred," go to events.

Key actions#

• Search and filter. Query events across your environment and narrow by source and time range.
• Open an event. Select a record to inspect its full raw detail.
• Pivot to alerts. When an event warrants action, move to the corresponding alert to triage it with full enrichment.

Tips#

• Use events to substantiate findings, not as your primary work queue.
• Custom and third-party sources show up here once they are forwarding data — a missing source in Events usually points to an ingestion issue.

Related#

• Alerts
• Custom Events