artisanpack-ui / security-analytics
Security analytics for Laravel — security event logging, anomaly detection, threat intelligence, SIEM export (Splunk, Datadog, Elasticsearch, syslog), incident response, alerting, and dashboards.
Package info
github.com/ArtisanPack-UI/security-analytics
pkg:composer/artisanpack-ui/security-analytics
Requires
- php: ^8.3
- artisanpack-ui/ai: ^1.0.0-alpha.1
- artisanpack-ui/core: ^1.0
- illuminate/support: ^10.0|^11.0|^12.0|^13.0
Requires (Dev)
- artisanpack-ui/code-style: ^1.1
- artisanpack-ui/code-style-pint: ^1.1
- dealerdirect/phpcodesniffer-composer-installer: ^1.0
- friendsofphp/php-cs-fixer: ^3.75
- laravel/pint: ^1.26
- livewire/livewire: ^3.6|^4.0
- orchestra/testbench: ^10.2|^11.0
- pestphp/pest: ^3.8|^4.0
- pestphp/pest-plugin-laravel: ^3.2|^4.0
This package is auto-updated.
Last update: 2026-07-08 01:49:20 UTC
README
Security analytics for Laravel: structured security event logging, pluggable anomaly detection, threat intelligence aggregation, SIEM export (Datadog / Elasticsearch / Splunk / Syslog / Webhook), playbook-driven incident response automation, multi-channel alerting, reports, and a Livewire dashboard.
This package is part of the ArtisanPack UI Security 2.0 split — the analytics, monitoring, and incident-response features previously bundled inside artisanpack-ui/security (1.x) live here in 2.0+.
Features
- Event logging —
SecurityEventLoggerplus aLogAuthenticationEventslistener that captures Laravel auth events automatically into a structuredsecurity_eventstable. - Anomaly detection — 8 pluggable detectors (
BruteForce,CredentialStuffing,GeoVelocity,PrivilegeEscalation,AccessPattern,Behavioral,Statistical,RuleBased) orchestrated byAnomalyDetectionServicewith per-user baselines viaBaselineManager. - Threat intelligence — 5 pluggable providers (
AbuseIPDB,GoogleSafeBrowsing,IpQualityScore,VirusTotal,CustomFeed) aggregated byThreatIntelligenceService. - SIEM export — 5 pluggable exporters (
Datadog,Elasticsearch,Splunk,Syslog,Webhook) backed bySiemExportService. - Incident response automation — 10 pluggable actions (block IP / user, lock account, revoke sessions, force password reset, require 2FA, terminate session, notify admin, rate-limit IP, enable enhanced logging, log event) coordinated by
IncidentResponderand driven byResponsePlaybookdefinitions. - Alerting — 8 channels (
Database,Email,OpsGenie,PagerDuty,Slack,Sms,Teams,Webhook) routed viaAlertManagerwithAlertRuledefinitions andAlertHistoryaudit. - Reports — 6 report types (
ExecutiveSummary,Incident,Compliance,Threat,Trend,UserActivity) generated on-demand or on a schedule viaScheduledReport. - Dashboard — bundled
SecurityDashboardController(10 JSON endpoints) plus 4 Livewire components (SecurityDashboard,SecurityEventList,SecurityStats,SuspiciousActivityList) with shipped Blade views. - Eloquent models (11), migrations (10), and factories (9) for the full schema.
- Console commands (11) for processing, pruning, exporting, generating reports, syncing threat feeds, and updating behavior baselines.
- Background jobs (5) for off-request analysis, SIEM export, scheduled reports, metric processing, and alert delivery.
- Events (3) —
SecurityEventOccurred,AnomalyDetected,SuspiciousActivityDetected— subscribe to integrate with downstream systems. SecurityAnalyticsFacade +security_analytics()helper.
AI features
The package registers three AI-assisted surfaces via artisanpack-ui/ai when installed. Each is a plain Livewire component wired to an agent that extends ArtisanPackUI\Ai\Agents\ArtisanPackAgent, so it inherits the shared feature toggle, credential resolver, cache pipeline, and usage tracking.
| Feature key | Agent | Livewire component | Default model | Purpose |
|---|---|---|---|---|
security.threat_triage |
ThreatTriageAgent |
ThreatTriagePanel |
claude-sonnet-4-6 |
Plain-language severity and recommended actions for a single SecurityEvent. |
security.anomaly_summary |
AnomalySummaryAgent |
AnomalySummaryPanel |
claude-haiku-4-5-20251001 |
Periodic digest of unusual events over a configurable window (default 24h). |
security.incident_response |
IncidentResponseAgent |
IncidentResponsePanel |
claude-opus-4-7 |
Suggested next steps for an open SecurityIncident. Advisory only — never triggers actions. |
Features are discovered automatically from the service provider's aiFeatures() method by the artisanpack-ui/ai boot pass — no manual registration required. Each feature is togglable at runtime via the shared feature registry, and each Livewire panel renders a disabled state when the feature is off or when credentials cannot be resolved (no LLM calls happen in either case).
Render a panel inline anywhere you have an event or incident:
{{-- On the security-event detail surface --}} <livewire:security-analytics.threat-triage-panel :event-id="$event->id" /> {{-- Somewhere on the dashboard --}} <livewire:security-analytics.anomaly-summary-panel /> {{-- On the incident detail surface --}} <livewire:security-analytics.incident-response-panel :incident-id="$incident->id" />
The three agents are also invocable directly from PHP:
use ArtisanPackUI\SecurityAnalytics\AI\Agents\ThreatTriageAgent; $triage = ThreatTriageAgent::for( $securityEvent )->run(); // [ 'severity' => 'high', 'summary' => '…', 'recommended_actions' => [ … ], 'related_events' => [ … ] ]
Override the shipped Blade views by shadowing them under resources/views/vendor/security-analytics/livewire/{threat-triage-panel,anomaly-summary-panel,incident-response-panel}.blade.php.
Installation
composer require artisanpack-ui/security-analytics php artisan migrate
(Optional) Publish the config:
php artisan vendor:publish --tag=security-analytics-config
Quick start
Log a security event:
use ArtisanPackUI\SecurityAnalytics\Facades\SecurityAnalytics; security_analytics()->logger()->log( type: 'authentication', name: 'login.failed', severity: 'warning', context: ['username' => $request->input('email')], );
Or react to the auth events Laravel fires:
// The package's LogAuthenticationEvents listener wires this up automatically. // To opt out, set config('artisanpack.security-analytics.auto_log_auth_events') to false.
Mount the dashboard:
// The dashboard routes auto-register under the configured prefix (default: /security). // Visit /security/dashboard to see the Livewire UI.
Dashboard Blade views
The dashboard views ship as plain HTML + Tailwind by design — the package does not depend on artisanpack-ui/livewire-ui-components. To customize them, shadow the package views by placing your own files at resources/views/vendor/security-analytics/livewire/*.blade.php — Laravel resolves overrides before package defaults.
Documentation
Requirements
- PHP 8.3+
- Laravel 10 / 11 / 12 / 13
artisanpack-ui/ai^1.0.0-alpha.1 — foundation for the three AI features (see AI features)livewire/livewire^3.6 or ^4.0 (only required for the dashboard UI + AI panels; the rest of the package works without Livewire)
Sibling packages
| Package | Scope |
|---|---|
artisanpack-ui/security-full |
Meta-package — pulls in the full security suite (all six packages below) in a single require |
artisanpack-ui/security |
Core: input sanitization, escaping, CSP, security headers |
artisanpack-ui/security-auth |
2FA, password complexity, account lockout, sessions |
artisanpack-ui/security-advanced-auth |
WebAuthn, SSO, social login |
artisanpack-ui/rbac |
Roles, permissions, Gate integration |
artisanpack-ui/secure-uploads |
File validation, malware scanning, signed-URL serving |
artisanpack-ui/compliance |
GDPR / CCPA / LGPD compliance tools |
License
MIT — see LICENSE.
Contributing
Please read the contributing guidelines before opening an issue or PR.