Authentication events are logged for audit purposes

Why it matters

Without auth event logging, a brute-force campaign, credential stuffing run, or account takeover leaves no trace in your infrastructure. CWE-778 (Insufficient Logging) directly applies. OWASP A09 (Security Logging and Monitoring Failures) lists insufficient logging of authentication events as a primary failure mode. PCI-DSS Req-10.2.1 mandates logging of all individual user access events. ISO 27001:2022 A.8.15 requires audit trail maintenance for all authenticated actions. When an account is compromised and you have no logs, you cannot determine scope, timeline, or affected users — incident response becomes guesswork.

Remediation

Log key auth events as structured JSON so they can be queried and alerted on — never log passwords or tokens:

// Structured auth event logging
console.log(JSON.stringify({
  event: 'auth.login.success',
  userId: user.id,
  ip: request.headers.get('x-forwarded-for') ?? 'unknown',
  userAgent: request.headers.get('user-agent'),
  timestamp: new Date().toISOString()
}))

// Failed login — log enough to detect brute force:
console.log(JSON.stringify({
  event: 'auth.login.failure',
  email,          // Not the password
  ip: request.headers.get('x-forwarded-for'),
  timestamp: new Date().toISOString()
}))

Ship these events to your log aggregation service (Datadog, Logtail, CloudWatch) and set an alert for N login failures per user within a sliding window. If using Clerk or Auth0, verify that their built-in event logs are being exported to your SIEM.

Detection

ID: saas-authentication.session-management.auth-events-logged
Severity: info
What to look for: Check login, logout, registration, password change, and failed login handlers for audit logging. Look for structured log statements that record the event type, timestamp, user identifier (not password), and IP address. Check if failed login attempts are logged in a way that enables incident investigation. Count all instances found and enumerate each.
Pass criteria: Key auth events (login success, login failure, logout, password change) are logged with enough context to support incident investigation. Sensitive fields (passwords, tokens) are not logged. At least 1 implementation must be confirmed.
Fail criteria: No auth event logging — login successes, failures, and security events are not recorded.
Skip (N/A) when: Fully managed auth provider logs these events internally (Clerk, Auth0). Signal: no custom auth handlers.
Detail on fail: "No auth event logging found — failed login attempts and successful authentications are not recorded, making incident investigation difficult".

Remediation: Auth event logs are your first line of investigation when accounts are compromised. Log events without logging sensitive data:

console.log(JSON.stringify({
  event: 'auth.login.success',
  userId: user.id,
  ip: request.headers.get('x-forwarded-for'),
  timestamp: new Date().toISOString(),
  userAgent: request.headers.get('user-agent')
}))

This is informational — structured logging is valuable but not a security failure if absent.

Why it matters

Remediation

Log key auth events as structured JSON so they can be queried and alerted on — never log passwords or tokens:

// Structured auth event logging
console.log(JSON.stringify({
  event: 'auth.login.success',
  userId: user.id,
  ip: request.headers.get('x-forwarded-for') ?? 'unknown',
  userAgent: request.headers.get('user-agent'),
  timestamp: new Date().toISOString()
}))

// Failed login — log enough to detect brute force:
console.log(JSON.stringify({
  event: 'auth.login.failure',
  email,          // Not the password
  ip: request.headers.get('x-forwarded-for'),
  timestamp: new Date().toISOString()
}))

Detection

ID: saas-authentication.session-management.auth-events-logged
Severity: info
What to look for: Check login, logout, registration, password change, and failed login handlers for audit logging. Look for structured log statements that record the event type, timestamp, user identifier (not password), and IP address. Check if failed login attempts are logged in a way that enables incident investigation. Count all instances found and enumerate each.
Pass criteria: Key auth events (login success, login failure, logout, password change) are logged with enough context to support incident investigation. Sensitive fields (passwords, tokens) are not logged. At least 1 implementation must be confirmed.
Fail criteria: No auth event logging — login successes, failures, and security events are not recorded.
Skip (N/A) when: Fully managed auth provider logs these events internally (Clerk, Auth0). Signal: no custom auth handlers.
Detail on fail: "No auth event logging found — failed login attempts and successful authentications are not recorded, making incident investigation difficult".

Remediation: Auth event logs are your first line of investigation when accounts are compromised. Log events without logging sensitive data:

console.log(JSON.stringify({
  event: 'auth.login.success',
  userId: user.id,
  ip: request.headers.get('x-forwarded-for'),
  timestamp: new Date().toISOString(),
  userAgent: request.headers.get('user-agent')
}))

This is informational — structured logging is valuable but not a security failure if absent.

Authentication events are logged for audit purposes

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

Authentication events are logged for audit purposes

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History