Back to Alerts & Detections
Alerts & Detections

Understanding Detection Alerts

Learn how LiteSOC detects threats and what each alert type means.

Last updated: 2026-03-01

Understanding Detection Alerts

LiteSOC uses behavioral AI to automatically detect security threats in your application. This guide explains the different types of alerts and how to respond to them.

Alert Types

LiteSOC detects several types of security threats:

🔴 Brute Force Attack

What it is: Multiple failed login attempts from the same IP or targeting the same account.

Trigger conditions:

  • 5+ failed logins in 5 minutes from same IP
  • 10+ failed logins targeting same account in 1 hour

Recommended actions:

  1. Check if it's a legitimate user who forgot their password
  2. Consider temporarily blocking the IP
  3. Enable rate limiting on your login endpoint
  4. Require CAPTCHA after failed attempts

🟠 Impossible Travel

What it is: A user logging in from two geographically distant locations in an impossibly short time.

Trigger conditions:

  • Login from Location A, then Location B
  • Distance/time ratio exceeds 500 mph (physically impossible)

Example:

  • Login from New York at 10:00 AM
  • Login from London at 10:30 AM
  • Distance: ~3,500 miles in 30 minutes = impossible

Recommended actions:

  1. Verify the user hasn't shared credentials
  2. Check for VPN usage (may trigger false positives)
  3. Contact the user to confirm legitimate access
  4. Consider forcing password reset

🟡 Geo-Anomaly

What it is: Login from an unusual location for that user.

Trigger conditions:

  • First login from a new country
  • Login from a country on your blocklist
  • Unusual location pattern for the user

Recommended actions:

  1. Send the user a "new login location" notification
  2. Require additional verification (MFA)
  3. Review if the location is expected (travel, remote work)

🔴 Suspicious Network

What it is: Login from a high-risk network (VPN, Tor, datacenter IP).

Trigger conditions:

  • Connection through known VPN provider
  • Tor exit node detected
  • Datacenter/cloud provider IP (not residential)

Recommended actions:

  1. Assess your risk tolerance for VPN users
  2. Consider blocking Tor access for sensitive operations
  3. Require additional authentication steps

Alert Severity Levels

SeverityColorResponse TimeExamples
Critical🔴 RedImmediateActive brute force, account takeover
High🟠 OrangeWithin 1 hourImpossible travel, suspicious network
Medium🟡 YellowWithin 24 hoursGeo-anomaly, new device
Low🟢 GreenReview weeklyInfo events, successful logins

Managing Alerts

Viewing Alerts

  1. Go to Dashboard → Alerts
  2. Alerts are sorted by severity and time
  3. Click any alert for full details

Resolving Alerts

  1. Click the alert to open details
  2. Review the evidence and context
  3. Choose an action:
    • Dismiss - False positive, no action needed
    • Acknowledge - Noted, will monitor
    • Escalate - Requires immediate action
  4. Add notes for your team

Setting Up Notifications

  1. Go to Settings → Integrations
  2. Connect Slack, Discord, or email
  3. Configure which severity levels trigger notifications

Reducing False Positives

VPN Users

If your users commonly use VPNs:

  1. Go to Settings → Detection Rules
  2. Adjust VPN sensitivity or whitelist known providers

Remote Teams

For distributed teams:

  1. Add expected countries to your allowlist
  2. Adjust impossible travel thresholds
  3. Consider user-specific baselines

Service Accounts

For automated systems:

  1. Tag service accounts appropriately
  2. Exclude them from certain detection rules
  3. Use dedicated IP allowlists

Need help tuning your alerts? Contact support or check our API documentation. , }, { title: "Responding to Security Incidents", slug: "incident-response", excerpt: "Step-by-step guide to handling security alerts and incidents.", lastUpdated: "2026-03-01", content:

Responding to Security Incidents

When LiteSOC detects a potential security threat, quick and effective response is crucial. This guide provides a framework for handling security incidents.

Incident Response Framework

1. Identify

Goal: Confirm the alert is a real threat.

Steps:

  1. Review the alert details in LiteSOC
  2. Check the actor's recent activity
  3. Look for patterns (multiple alerts, unusual behavior)
  4. Gather context (time, location, device)

Questions to ask:

  • Is this a known user or attacker?
  • Does the activity match normal behavior?
  • Are there other related alerts?

2. Contain

Goal: Stop the threat from spreading.

Immediate actions:

  • Disable compromised accounts
  • Revoke active sessions
  • Block suspicious IPs
  • Disable affected API keys

In LiteSOC:

  1. Go to the alert details
  2. Click "View Actor"
  3. Use quick actions to disable/block

3. Investigate

Goal: Understand the full scope.

Steps:

  1. Export affected events from LiteSOC
  2. Review the timeline of activity
  3. Identify all affected resources
  4. Check for data access or exfiltration

Key evidence to collect:

  • Login timestamps and locations
  • Actions performed during session
  • Data accessed or exported
  • IP addresses and user agents

4. Remediate

Goal: Fix vulnerabilities and restore security.

Common remediation steps:

  • Force password reset for affected users
  • Rotate compromised API keys
  • Patch identified vulnerabilities
  • Update firewall rules
  • Enable additional MFA requirements

5. Document

Goal: Create a record for compliance and learning.

Document:

  • Incident timeline
  • Root cause analysis
  • Actions taken
  • Lessons learned
  • Prevention measures

In LiteSOC:

  1. Add notes to the resolved alert
  2. Export incident report
  3. Store in your compliance records

Common Incident Scenarios

Scenario 1: Brute Force Attack

``` Alert: 50 failed login attempts in 10 minutes Actor: unknown@attacker.com IP: 203.0.113.50 ```

Response:

  1. ✅ Block the IP immediately
  2. ✅ Check if any attempts succeeded
  3. ✅ Review other accounts targeted
  4. ✅ Enable rate limiting
  5. ✅ Consider CAPTCHA implementation

Scenario 2: Impossible Travel

``` Alert: Login from NYC, then Tokyo in 30 minutes Actor: john@company.com Risk: Account may be compromised ```

Response:

  1. ✅ Contact the user directly
  2. ✅ Check if one login was via VPN
  3. ✅ If suspicious, force logout all sessions
  4. ✅ Require password reset
  5. ✅ Review recent account activity

Scenario 3: Data Export by Unknown IP

``` Alert: Large data export from new location Actor: admin@company.com Data: 10,000 records exported ```

Response:

  1. ✅ Verify with admin user immediately
  2. ✅ If unauthorized, disable account
  3. ✅ Revoke data export if possible
  4. ✅ Assess data sensitivity
  5. ✅ Prepare breach notification if required

Post-Incident Checklist

After resolving an incident:

  • All affected accounts secured
  • Compromised credentials rotated
  • Root cause identified
  • Incident documented
  • Team debriefed
  • Detection rules updated
  • Monitoring enhanced
  • Compliance notified (if required)

When to Escalate

Escalate to leadership or legal when:

  • Personal data may have been accessed
  • Financial systems were compromised
  • Regulatory notification may be required
  • Attack is ongoing and sophisticated
  • You're unsure of the scope

Need immediate help with an incident? Contact our security team or call our emergency hotline.

Was this article helpful? Need more assistance?

Contact Support →API Documentation →