artisanpack-ui/security-analytics

Security analytics for Laravel — security event logging, anomaly detection, threat intelligence, SIEM export (Splunk, Datadog, Elasticsearch, syslog), incident response, alerting, and dashboards.

Maintainers

Package info

github.com/ArtisanPack-UI/security-analytics

pkg:composer/artisanpack-ui/security-analytics

Transparency log

Statistics

Installs: 80

Dependents: 1

Suggesters: 1

Stars: 0

Open Issues: 2

1.1.0 2026-07-08 01:47 UTC

This package is auto-updated.

Last update: 2026-07-08 01:49:20 UTC


README

Security analytics for Laravel: structured security event logging, pluggable anomaly detection, threat intelligence aggregation, SIEM export (Datadog / Elasticsearch / Splunk / Syslog / Webhook), playbook-driven incident response automation, multi-channel alerting, reports, and a Livewire dashboard.

This package is part of the ArtisanPack UI Security 2.0 split — the analytics, monitoring, and incident-response features previously bundled inside artisanpack-ui/security (1.x) live here in 2.0+.

Features

  • Event loggingSecurityEventLogger plus a LogAuthenticationEvents listener that captures Laravel auth events automatically into a structured security_events table.
  • Anomaly detection — 8 pluggable detectors (BruteForce, CredentialStuffing, GeoVelocity, PrivilegeEscalation, AccessPattern, Behavioral, Statistical, RuleBased) orchestrated by AnomalyDetectionService with per-user baselines via BaselineManager.
  • Threat intelligence — 5 pluggable providers (AbuseIPDB, GoogleSafeBrowsing, IpQualityScore, VirusTotal, CustomFeed) aggregated by ThreatIntelligenceService.
  • SIEM export — 5 pluggable exporters (Datadog, Elasticsearch, Splunk, Syslog, Webhook) backed by SiemExportService.
  • Incident response automation — 10 pluggable actions (block IP / user, lock account, revoke sessions, force password reset, require 2FA, terminate session, notify admin, rate-limit IP, enable enhanced logging, log event) coordinated by IncidentResponder and driven by ResponsePlaybook definitions.
  • Alerting — 8 channels (Database, Email, OpsGenie, PagerDuty, Slack, Sms, Teams, Webhook) routed via AlertManager with AlertRule definitions and AlertHistory audit.
  • Reports — 6 report types (ExecutiveSummary, Incident, Compliance, Threat, Trend, UserActivity) generated on-demand or on a schedule via ScheduledReport.
  • Dashboard — bundled SecurityDashboardController (10 JSON endpoints) plus 4 Livewire components (SecurityDashboard, SecurityEventList, SecurityStats, SuspiciousActivityList) with shipped Blade views.
  • Eloquent models (11), migrations (10), and factories (9) for the full schema.
  • Console commands (11) for processing, pruning, exporting, generating reports, syncing threat feeds, and updating behavior baselines.
  • Background jobs (5) for off-request analysis, SIEM export, scheduled reports, metric processing, and alert delivery.
  • Events (3) — SecurityEventOccurred, AnomalyDetected, SuspiciousActivityDetected — subscribe to integrate with downstream systems.
  • SecurityAnalytics Facade + security_analytics() helper.

AI features

The package registers three AI-assisted surfaces via artisanpack-ui/ai when installed. Each is a plain Livewire component wired to an agent that extends ArtisanPackUI\Ai\Agents\ArtisanPackAgent, so it inherits the shared feature toggle, credential resolver, cache pipeline, and usage tracking.

Feature key Agent Livewire component Default model Purpose
security.threat_triage ThreatTriageAgent ThreatTriagePanel claude-sonnet-4-6 Plain-language severity and recommended actions for a single SecurityEvent.
security.anomaly_summary AnomalySummaryAgent AnomalySummaryPanel claude-haiku-4-5-20251001 Periodic digest of unusual events over a configurable window (default 24h).
security.incident_response IncidentResponseAgent IncidentResponsePanel claude-opus-4-7 Suggested next steps for an open SecurityIncident. Advisory only — never triggers actions.

Features are discovered automatically from the service provider's aiFeatures() method by the artisanpack-ui/ai boot pass — no manual registration required. Each feature is togglable at runtime via the shared feature registry, and each Livewire panel renders a disabled state when the feature is off or when credentials cannot be resolved (no LLM calls happen in either case).

Render a panel inline anywhere you have an event or incident:

{{-- On the security-event detail surface --}}
<livewire:security-analytics.threat-triage-panel :event-id="$event->id" />

{{-- Somewhere on the dashboard --}}
<livewire:security-analytics.anomaly-summary-panel />

{{-- On the incident detail surface --}}
<livewire:security-analytics.incident-response-panel :incident-id="$incident->id" />

The three agents are also invocable directly from PHP:

use ArtisanPackUI\SecurityAnalytics\AI\Agents\ThreatTriageAgent;

$triage = ThreatTriageAgent::for( $securityEvent )->run();
// [ 'severity' => 'high', 'summary' => '…', 'recommended_actions' => [ … ], 'related_events' => [ … ] ]

Override the shipped Blade views by shadowing them under resources/views/vendor/security-analytics/livewire/{threat-triage-panel,anomaly-summary-panel,incident-response-panel}.blade.php.

Installation

composer require artisanpack-ui/security-analytics
php artisan migrate

(Optional) Publish the config:

php artisan vendor:publish --tag=security-analytics-config

Quick start

Log a security event:

use ArtisanPackUI\SecurityAnalytics\Facades\SecurityAnalytics;

security_analytics()->logger()->log(
    type: 'authentication',
    name: 'login.failed',
    severity: 'warning',
    context: ['username' => $request->input('email')],
);

Or react to the auth events Laravel fires:

// The package's LogAuthenticationEvents listener wires this up automatically.
// To opt out, set config('artisanpack.security-analytics.auto_log_auth_events') to false.

Mount the dashboard:

// The dashboard routes auto-register under the configured prefix (default: /security).
// Visit /security/dashboard to see the Livewire UI.

Dashboard Blade views

The dashboard views ship as plain HTML + Tailwind by design — the package does not depend on artisanpack-ui/livewire-ui-components. To customize them, shadow the package views by placing your own files at resources/views/vendor/security-analytics/livewire/*.blade.php — Laravel resolves overrides before package defaults.

Documentation

Requirements

  • PHP 8.3+
  • Laravel 10 / 11 / 12 / 13
  • artisanpack-ui/ai ^1.0.0-alpha.1 — foundation for the three AI features (see AI features)
  • livewire/livewire ^3.6 or ^4.0 (only required for the dashboard UI + AI panels; the rest of the package works without Livewire)

Sibling packages

Package Scope
artisanpack-ui/security-full Meta-package — pulls in the full security suite (all six packages below) in a single require
artisanpack-ui/security Core: input sanitization, escaping, CSP, security headers
artisanpack-ui/security-auth 2FA, password complexity, account lockout, sessions
artisanpack-ui/security-advanced-auth WebAuthn, SSO, social login
artisanpack-ui/rbac Roles, permissions, Gate integration
artisanpack-ui/secure-uploads File validation, malware scanning, signed-URL serving
artisanpack-ui/compliance GDPR / CCPA / LGPD compliance tools

License

MIT — see LICENSE.

Contributing

Please read the contributing guidelines before opening an issue or PR.