This document describes Spikerz workspace SIEM alerts. These alerts are generated at the workspace level and may include signals reported by connected social media platforms. They are designed for SOC teams, IT, and security stakeholders to understand what happened, why it matters, and how to assess risk.
1. SIEM Alert Structure
All Spikerz SIEM alerts share a consistent schema, making them easy to ingest and correlate in any SIEM.
Common fields
Field | Description |
| Unique event identifier |
| Spikerz workspace where the event occurred |
| Social platform involved (Instagram, Facebook, TikTok, etc.) or |
| Internal identifier of the connected account (nullable) |
| Username of the social media asset (nullable) |
| Employee identifier (for employee-related events) |
| User or employee email (for audit events) |
| ISO 8601 timestamp |
| Always |
| Event-specific contextual data |
Security alerts vs audit events
Type | Identification | Purpose |
Security alert |
| High-signal security events |
Audit / event log |
| Visibility, audit, correlation |
2. Risk Levels
Risk | Meaning |
π¨ Critical | Immediate security incident |
π΄ High | Strong security signal |
π Medium | Potential risk or loss of visibility |
π‘ Informational | Expected activity, audit only |
2.1 SIEM Event Examples (JSON)
Below are realistic example payloads showing how Spikerz sends events to your SIEM. These examples illustrate the two core types of events: security alerts and audit / event logs.
Security Alert Example (type + category)
Security alerts represent high-signal security events. They populate type and category, and leave action as null.
{ "_id": "507f1f77bcf86cd799439011",
"workspaceId": "workspace_123",
"platform": "instagram",
"accountId": "17841445325350983",
"assetUsername": "example_account",
"employeeId": null,
"email": null,
"type": "autoAccountLockoutTriggered",
"category": "accountSecurity",
"action": null,
"timestamp": "2025-04-11T12:55:29.062Z",
"sourceType": "spikerz",
"metadata": {
"trigger": "suspicious_login",
"device": "Chrome on Windows 10",
"location": "Berlin, DE" } }Audit / Event Log Example (action)
Audit events represent workspace activity, configuration changes, and operational actions. They populate action, and leave type and category as null.
{ "_id": "507f1f77bcf86cd799439012",
"workspaceId": "workspace_123",
"platform": "instagram",
"accountId": "17841445325350983",
"assetUsername": "example_account",
"employeeId": "emp_456",
"email": "[email protected]",
"type": null,
"category": null,
"action": "permissionAdded",
"timestamp": "2025-04-11T13:02:10.481Z",
"sourceType": "spikerz",
"metadata": {
"role": "admin",
"grantedBy": "workspace_owner" } }
3. Account Lockout & Takeover Prevention
Alert name | Explanation | Risk |
| Account was manually locked | π¨ Critical |
| Automatic lockout after high-risk detection | π¨ Critical |
| Lockout after suspicious new login | π¨ Critical |
| Lockout after 2FA change | π¨ Critical |
| Lockout after phone number change | π¨ Critical |
4. Account Protection (Platform Signals)
This category groups authentication, password, and recovery changes reported by connected social platforms.
Alert name | Explanation | Risk |
| Two-factor authentication enabled | π‘ Informational |
| Two-factor authentication configuration changed | π‘ Informational |
| Two-factor authentication disabled | π¨ Critical |
| Account password changed on platform | π΄ High |
| Password rotation initiated | π΄ High |
| Recovery email added | π‘ Informational |
| Recovery email removed | π΄ High |
| Recovery email changed | π΄ High |
| Recovery phone number added | π‘ Informational |
| Recovery phone number removed | π΄ High |
| Recovery phone number changed | π΄ High |
5. Data Breaches
Alert name | Explanation | Risk |
| Account email found in breach databases | π΄ High |
| Password found in breach databases | π΄ High |
| Employee email found in breach databases | π΄ High |
| Employee password found in breach databases | π΄ High |
6. Social Media Permissions
Alert name | Explanation | Risk |
| Permission added on social media asset | π‘ Informational |
| Permission removed from social media asset | π‘ Informational |
| Role added on social media asset | π‘ Informational |
| Role removed from social media asset | π‘ Informational |
| Page added to workspace | π‘ Informational |
| Page removed from workspace | π‘ Informational |
| Partner access added | π‘ Informational |
| Partner access removed | π‘ Informational |
| Partner role changed | π‘ Informational |
| Partner status changed | π‘ Informational |
| Social media account added to whitelist | π‘ Informational |
| Social media account removed from whitelist | π‘ Informational |
| Social media permissions configuration changed | π‘ Informational |
7. Connectivity & Sync
Alert name | Explanation | Risk |
| Social media account connected to Spikerz | π‘ Informational |
| Social media account disconnected from Spikerz | π Medium |
| Failed to fetch permissions from platform | π Medium |
8. Alert Workflow & Audit Events
Alert name | Explanation | Risk |
| Alert marked as resolved | π‘ Informational |
| Alert reopened | π‘ Informational |
| Alert marked as false positive | π‘ Informational |
| Alert assigned to a user | π‘ Informational |
| Alert type changed | π‘ Informational |
| Alert tags changed | π‘ Informational |
9. Comment & Moderation Events
Alert name | Explanation | Risk |
| Comment deleted | π‘ Informational |
| Comment hidden | π‘ Informational |
| Comment unhidden | π‘ Informational |
| Reply created | π‘ Informational |
| Reply edited | π‘ Informational |
| Reply deleted | π‘ Informational |
| Account blocked | π‘ Informational |