Securitymedium

What security signals should you log and monitor, and why?

Answer

Log auth events (login failures, MFA changes), privilege changes, access to sensitive data, and unusual traffic patterns. Monitor for spikes, geo-anomalies, and failed actions to detect abuse early and support incident response.

Advanced answer

Deep dive

Security logs must be actionable and privacy-aware:

Auth events: logins, failures, MFA enrollment/disable, token issuance.
Privilege events: role changes, admin actions, policy edits.
Data access: reads of sensitive data, exports, bulk operations.
Anomalies: geo-velocity, IP reputation, sudden spikes.

Examples

Minimal log schema:

{ userId, action, target, result, ip, userAgent, traceId }

Common pitfalls

Logging secrets or full PII in clear text.
No correlation IDs, so incidents cannot be traced end-to-end.
No alerting, so logs are only used after a breach.

Interview follow-ups

How do you balance privacy vs detection?
What events should trigger immediate paging?
How long should logs be retained?