Security Events
Security events are records of threats and anomalies detected by the MeetLoyd platform. Every time the system blocks a malicious file, detects a prompt injection attempt, or identifies suspicious behavior, it creates a security event that your administrators can review and act on.
What Triggers a Security Event
Security events are created automatically when the platform detects something that requires attention:
| Category | Examples |
|---|---|
| File security | Malicious content, disguised files, credential exposure in documents |
| Prompt security | Adversarial content in chat messages or uploaded documents |
| Authentication security | Failed login patterns, unusual access patterns |
| Rate limiting | Excessive usage from a single source |
Events are never created manually -- they are always the result of an automated detection by the platform's security pipeline.
Severity Levels
Each event is assigned a severity based on the potential impact:
| Severity | Meaning | Examples |
|---|---|---|
| Critical | Active threat that could cause immediate harm | Disguised malware, high-confidence adversarial content |
| High | Significant threat that requires prompt investigation | Credential exposure, malicious document content |
| Medium | Suspicious activity that should be reviewed | Unusual file patterns, moderate-confidence detections |
| Low | Minor anomaly, informational | Rate limit approaching threshold |
Monitoring Security Events
Security Center Dashboard
Security events are visible in the Security Center, accessible from the shield icon in the top navigation bar. The dashboard provides:
- Real-time event stream -- New events appear immediately as they are detected, without refreshing the page
- Filtering -- Filter by severity, status, category, tenant, and date range
- Event details -- Click any event to see full details and the evidence collected for investigation
Event Statuses
Every security event has a status that tracks its lifecycle:
| Status | Meaning |
|---|---|
| Open | Newly detected, not yet reviewed |
| Investigating | An admin is looking into the event |
| Blocked | The threat was confirmed and action was taken |
| False positive | The detection was incorrect -- no actual threat |
| Resolved | Investigation complete, no further action needed |
Resolution Workflow
When you see a new security event:
- Review the event -- Open the event to see what was detected, who triggered it, and the evidence collected
- Investigate -- Determine whether the event represents a real threat or a false positive. Check the user's activity history and the file or message that triggered the detection
- Take action -- Based on your investigation:
- Mark as false positive if the detection was incorrect
- Block the user if the activity was intentional and malicious
- Warn the user if the activity was accidental (e.g., uploading a file containing old credentials)
- Quarantine the file if it was a file-based threat (this happens automatically on detection)
- Resolve -- Add a resolution note and close the event
Available Actions
| Action | When to Use |
|---|---|
| None | Event reviewed, no action needed |
| User warned | Notified the user about the security event |
| User blocked | Blocked the user's access to the platform |
| User suspended | Temporarily suspended the user's account |
| File quarantined | File moved to secure quarantine (automatic for detected threats) |
| IP blocked | Blocked the originating IP address |
SIEM Integration
Security events can be exported to your existing Security Information and Event Management (SIEM) system for centralized monitoring. MeetLoyd supports:
- Splunk, Datadog, Elastic Security, and SumoLogic as built-in destinations
- Custom HTTP endpoints for any SIEM that accepts webhooks (including Microsoft Sentinel and AWS Security Hub)
- Real-time streaming -- Events flow to your SIEM as they are detected
- Multiple formats -- JSON, CEF (Common Event Format), and LEEF (Log Event Extended Format)
This allows your security operations team to correlate MeetLoyd events with signals from the rest of your infrastructure in a single pane of glass.
See SIEM Integration for setup instructions.
Feature Availability
| Feature | Growth | Enterprise |
|---|---|---|
| Security event detection | Yes | Yes |
| Security Center dashboard | Yes | Yes |
| Real-time event stream | Yes | Yes |
| Event investigation & resolution | Yes | Yes |
| SIEM export | -- | Yes |
| Custom alert rules | -- | Yes |