Analyzing Statistics for Local Login Attempts

The Local Login Attempts page displays statistics relating to local authentication. A local authentication is an authentication activity carried out via the local identity provider. If a local identity provider is involved in a given sequence of authentication, it is considered a single local authentication attempt regardless of the number of steps carried out via the local identity provider. i.e., If multiple authentication steps are carried out by the local identity provider within an authentication sequence, the successful completion of all these steps is counted as a single successful local authentication. However, each local authentication step that fails is counted as a separate local authentication failure.

The statistics displayed in this page include all login attempts that are done through the local identity providers over time and the login attempts distribution over various dimensions such as service providers, user-stores, roles and users.

For detailed information about the common functions of the Security Analytics dashboard, see Analyzing Statistics for Authentication Operations - Using the Security Analytics Dashboard.

Login attempts over time

View (Example)
Description	This gadget indicates the following. The total number of login attempts corresponding to the resident identity provider during the selected time interval. The success and the failure rate for login attempts during the selected time interval. Region map shown in the dashboard may not show all the regions for the login attempts. This is because the packed sample database does not contain complete data for all the IP addresses. Please create a new database with complete data and do necessary configurations in WSO2 IS Analytics Server. See Using Geolocation Based Statistics.
Purpose	This allows you to identify the login attempts handled by IS over time. As a result, you can understand the login patterns and detect deviations that may indicate unusual occurrences such as attacks, system downtime, etc.
Recommended Action	Check the success and failure rate at different time intervals to identify login patterns (e.g., different days of the week, different hours of the day). If there is a deviation from the observed pattern, check for unusual activity (e.g., attacks, system downtime etc.)

Login attempts distribution over top 10 service providers

View (Example)
Description	This gadget ranks the top 10 service providers for the selected time interval based on their successful login attempts as well as failed login attempts. The number of successful/failed login attempts for each service provider is plotted on the chart in order to provide a comparison.
Purpose	This gadget allows you to: Identify the most frequently accessed service providers. Detect unusual occurrences based on significant changes in the frequency with which each service provider is accessed.
Recommended Action	Click on the bars corresponding to different service providers to view successful and failed login attempts filtered by the selected service provider.

Login attempts distribution over top 10 user stores

View (Example)
Description	This gadget ranks the top 10 user stores for the selected time interval based on their successful login attempts as well as failed login attempts. The number of successful/failed login attempts for each user store is plotted on the chart in order to provide a comparison.
Purpose	This gadget allows you to: Identify the most frequently accessed user stores. Detect unusual occurrences based on significant changes in the frequency with which each user store is accessed.
Recommended Action	Click on the bars corresponding to different user-stores to view successful and failed login attempts filtered by the selected user store.

Login attempts distribution over top 10 roles

View (Example)
Description	This gadget ranks the top 10 user roles for the selected time interval based on their successful login attempts as well as failed login attempts. The number of successful/failed login attempts of each user role is plotted on the chart in order to provide a comparison.
Purpose	This gadget allows you to: Identify the user roles that make the most frequent login attempts Detect unusual occurrences based on significant changes in the frequency of the login attempts by each user role.
Recommended Action	Click on the bars corresponding to different roles to view the successful and failed login attempts filtered by the selected user role.

Login attempts distribution over top 10 users

View (Example)
Description	This gadget ranks the top 10 users for the selected time interval based on their successful login attempts as well as failed login attempts. The number of successful/failed login attempts of each user is plotted on the chart in order to provide a comparison.
Purpose	This gadget allows you to: Identify the users that make the most frequent login attempts Detect unusual occurrences based on significant changes in the frequency of the login attempts by each user.
Recommended Action	Click on the bars corresponding to different users to view the successful and failed login attempts filtered by the selected user.

Data table

View (Example)
Description	This gadget provides a list view of login attempts during the selected time interval. Details including the username, service provider, user store, user role, IP, whether the authentication was successful or not and the timestamp are displayed for each login attempt. The login attempts are sorted by the username by default, but they can be sorted by other fields in the ascending/descending order if required. When a user makes a failed login attempt, the role and the tent domain of the user cannot be identified by WSO2 Analytics unless the user ID is in the `<User_STORE>/<NAME>@<TENANT_DOMAIN>` format. When the role and the tenant domain is not identified, `NOT_AVAILABLE` is displayed in the Userstore column, and the super tenant dominion is displayed in the Tenant Domain column. e.g., If a login attempt is made using the valid user ID `manager` and an incorrect password, the data table displays `NOT_AVAILABLE` in the Userstore column, and `carbon.super` (i.e., the domain of the super tenant) is displayed in the Tenant Domain column. If a login attempt is made using the valid user ID `SecondaryUserStore/manager@abc.com` and an incorrect password, the data table displays `SecondaryUserStore` in the Userstore column, and `abc.com` in the Tenant Domain column.
Purpose	This gadget allows you to identify the individual login attempts made during the selected time interval and view detailed information about them.
Recommended Action	Sort the records by each field available in order to identify the login patterns relating to each username, service provider, user store, user role, and IP. Deviations from the identified patterns can help you to detect unusual occurrences.