Events
Introduction
Events are the individual interactions a user has with your website. Each event represents a discrete action or request — such as a login attempt, a transaction, or a page view — captured as it happens in real time. Events are the building blocks of Sessions, and together they provide the raw data for behavioral analysis, risk assessment, and investigation. The Hub’s architecture is designed to capture, enrich, and analyze these events to surface meaningful insights and automate security and fraud responses.


Events, the middle row, contain Elements!
Data
Events are structured collections of Elements. When an Event is created, it may trigger a Workflow. Workflows are a set of automated rules and actions that operate on the Event, its data, and its associated Session.
Events contain many important data features; these are covered in detail in the Elements documentation. There are a handful worth mentioning in the context of Events. All Events have an ID and a timestamp to identify them and when they were observed. Events have a human readable name and a type, which takes a finite set of values and serves as a way to congregate Events that are similar in their structure. Each Event has an associated Session ID to link it to its parent Session as well as any Session Labels that were placed on the Session as a result of this Event. Let's look at an example of this data:
Session ID | Event ID | Timestamp | Event Name | Event Type | Session Labels | More Data... | |
---|---|---|---|---|---|---|---|
1 | 1 | 2025-01-01 06:00:00 | Login through API | Authentication Attempt | [] | test@testing.com | ... |
2 | 1 | 2025-01-02 16:00:00 | Login through Form | Authentication Attempt | [] | another@testing.com | ... |
2 | 2 | 2025-01-02 16:11:00 | View Product | Session Update | ["Returning User"] | another@testing.com | ... |
2 | 3 | 2025-01-02 16:15:00 | Buy Product | Transaction | ["Average Purchase Behavior"] | another@testing.com | ... |
This table shows two Sessions, each with their own Events. The Elements that identify the Event itself are present: Event ID, Session ID, Timestamp, Event Name, and Event Type. Following these are an example of some more data elements, there are over 200 possible Elements that can be mapped from applications. Typically, only a subset of these elements are mapped as they relate to business use cases. "Email" and "More Data" signify the collection of these further Elements.
Risk Rating
The Sessions article talks about the Session Risk Rating, but we need to cover an important detail as it relates to Events. The Session Risk Rating on an Event is the Risk Rating as it was recorded at the time of the Event. We do not go back in time to update the Risk Rating on Events if the rating changes later in the Session.
note
This enables investigators to observe how the risk rating changes over time and exactly which Event changes the risk rating and why.
The User Session Assessment's Risk Rating Chart is a visual representation of how the Session's Risk Rating evolves over time as more Events are observed. The individual Events are responsible for changing the Risk Rating and those changes are carried forward to future Events through the Session.
Session Labels
We mention that Session Labels are set on an Event, but they apply to the entire Session. What we mean by this is that an individual label is placed when an Event occurs. These labels are accessible to any subsequent Event when the rules engine queries for any labels stored on the Session. When observing an Event in the Hub, you will see the Session Labels that were placed on that Event, and only those Session Labels. The Session view on the User Session Assessment will show all Session Labels that were applied during the Session.
Actions
Actions occur on an Event when the Realtime Engine does something about the Event. These actions may notify a customer that risky behavior is potentially occurring (and the data associated with the behavior), modify the request to inform customer applications of the behavior, or stop the behavior altogether! Actions are taken on individual Events, but the data from the overall Session is used to determine whether we should take this Action.
Analysis and Querying
The Hub provides powerful tools for analyzing events. The User Session Assessment has an Event Timeline that details the series of Events within the Session in chronological order. The timeline can be filtered by event type, event name, and session labels, making it easy to focus on relevant activity.
For deeper investigation, the Event Inspector allows users to drill down into the finest details of any individual event. Analysts can view all elements, labels, rule executions, and actions taken associated with the event. This granular view allows users to inspect what happened on a given Event and why.