Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Events

Introduction

Events are the individual interactions a user has with your website. Each event represents a discrete action or request — such as a login attempt, a transaction, or a page view — captured as it happens in real time. Events are the building blocks of Sessions, and together they provide the raw data for behavioral analysis, risk assessment, and investigation. The Hub’s architecture is designed to capture, enrich, and analyze these events to surface meaningful insights and automate security and fraud responses.

Sessions Events & Elements Sessions Events & Elements

Events, the middle row, contain Elements!

Data

Events are structured collections of Elements. When an Event is created, it may trigger a Workflow. Workflows are a set of automated rules and actions that operate on the Event, its data, and its associated Session.

Events contain many important data features; these are covered in detail in the Elements documentation. There are a handful worth mentioning in the context of Events. All Events have an ID and a timestamp to identify them and when they were observed. Events have a human readable name and a type, which takes a finite set of values and serves as a way to congregate Events that are similar in their structure. Each Event has an associated Session ID to link it to its parent Session as well as any Session Labels that were placed on the Session as a result of this Event. Let's look at an example of this data:

Session IDEvent IDTimestampEvent NameEvent TypeSession LabelsEmailMore Data...
112025-01-01 06:00:00Login through APIAuthentication Attempt[]test@testing.com...
212025-01-02 16:00:00Login through FormAuthentication Attempt[]another@testing.com...
222025-01-02 16:11:00View ProductSession Update["Returning User"]another@testing.com...
232025-01-02 16:15:00Buy ProductTransaction["Average Purchase Behavior"]another@testing.com...

This table shows two Sessions, each with their own Events. The Elements that identify the Event itself are present: Event ID, Session ID, Timestamp, Event Name, and Event Type. Following these are an example of some more data elements, there are over 200 possible Elements that can be mapped from applications. Typically, only a subset of these elements are mapped as they relate to business use cases. "Email" and "More Data" signify the collection of these further Elements.

Risk Rating

The Sessions article talks about the Session Risk Rating, but we need to cover an important detail as it relates to Events. The Session Risk Rating on an Event is the Risk Rating as it was recorded at the time of the Event. We do not go back in time to update the Risk Rating on Events if the rating changes later in the Session.

note

This enables investigators to observe how the risk rating changes over time and exactly which Event changes the risk rating and why.

The User Session Assessment's Risk Rating Chart is a visual representation of how the Session's Risk Rating evolves over time as more Events are observed. The individual Events are responsible for changing the Risk Rating and those changes are carried forward to future Events through the Session.

Session Labels

We mention that Session Labels are set on an Event, but they apply to the entire Session. What we mean by this is that an individual label is placed when an Event occurs. These labels are accessible to any subsequent Event when the rules engine queries for any labels stored on the Session. When observing an Event in the Hub, you will see the Session Labels that were placed on that Event, and only those Session Labels. The Session view on the User Session Assessment will show all Session Labels that were applied during the Session.

Actions

Actions occur on an Event when the Realtime Engine does something about the Event. These actions may notify a customer that risky behavior is potentially occurring (and the data associated with the behavior), modify the request to inform customer applications of the behavior, or stop the behavior altogether! Actions are taken on individual Events, but the data from the overall Session is used to determine whether we should take this Action.

Analysis and Querying

The Hub provides powerful tools for analyzing events. The User Session Assessment has an Event Timeline that details the series of Events within the Session in chronological order. The timeline can be filtered by event type, event name, and session labels, making it easy to focus on relevant activity.

For deeper investigation, the Event Inspector allows users to drill down into the finest details of any individual event. Analysts can view all elements, labels, rule executions, and actions taken associated with the event. This granular view allows users to inspect what happened on a given Event and why.