This documentation is for WSO2 Identity Server 5.2.0 . View documentation for the latest release.

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Use the procedure below to analyze WSO2 IS using WSO2 AnalyticsThe following sections explain how to access the Security Analytics dashboard to view statistics relating to authentication activities and sessions, and functions common to all the pages in this dashboard.

Table of Contents
maxLevel3
minLevel3

Accessing the Analytics Dashboard
Anchor
Access Dashboard
Access Dashboard

Follow the procedure below to access the Analytics Dashboard to view statistics relating to security analytics.

Info

The Analytics Dashboard cannot be viewed using the Internet Explorer 10 and older versions.

Analyzing Statistics for Resident Identity Provider 

The statistics displayed in the Resident Identity Provider view includes the overall success and failure login attempts over time and the login attempts distribution over various dimensions such as  service providers, user-stores, roles and users.

Login Attempts Over Time

 

...

View

(Example)

...

Image Removed

...

Description

...

This indicates the total number of login attempts corresponding to the resident identity provider during the selected period of time and the rate of success and failure within the same period.

...

Purpose

...

This allows you to identify the login attempts handled by IS over time in order to understand the patterns of login attempts and any unusual occurrences that have taken place during that time. (eg: attacks, system downtime)

...

Recommended Action

...

Check the success and failure patterns of login attempts.

Login Attempts Distribution Over Top 10 Service Providers

 

...

View

(Example)

...

Image Removed

...

Description

...

This indicates the login success attempts and login failure attempts distribution over top 10 service providers during the selected period of time.

...

Purpose

...

This allows you to identify what are the service providers accessed mostly and any unusual occurrences with regard to accessing particular service providers.

...

Recommended Action

...

Click on the bars corresponding to different service providers to view the login success and failure attempts filtered by the selected service provider.

 

Login Attempts Distribution Over Top 10 User-stores

 

...

View

(Example)

...

Image Removed

...

Description

...

This indicates the login success attempts and login failure attempts distribution over the user-stores during the selected period of time.

...

Purpose

...

This allows you to identify any unusual occurrences with regard to different user-stores.

...

Recommended Action

...

Click on the bars corresponding to different user-stores to view the login success and failure attempts filtered by the selected user-store.

Login Attempts Distribution Over Top 10 Roles

 

...

View

(Example)

...

Image Removed

...

Description

...

This indicates the login success attempts and login failure attempts distribution over the roles during the selected period of time.

...

Purpose

...

This allows you to identify by which roles mostly the login attempts are done and any unusual attempts done by particular user roles.

...

Recommended Action

...

Click on the bars corresponding to different roles to view the login success and failure attempts filtered by the selected role.

Login Attempts Distribution Over Top 10 Users

 

...

View

(Example)

...

Image Removed

...

Description

...

This indicates the login success attempts and login failure attempts distribution over the users during the selected period of time.

...

Purpose

...

This allows you to identify the top users who attempted to login and any unusual attempts done by particular users.

...

Recommended Action

...

Click on the bars corresponding to different users to view the login success and failure attempts filtered by the selected user.

Data Table

 

...

View

(Example)

...

Image Removed

...

Description

...

This provides you a list view of login attempts during the selected time period sort by username by default. You have options to sort by other fields as well. Details including username, service provider, userstore, role, IP are displayed for each login attempt.

...

Purpose

...

This allows you to identify the individual login attempts done during the selected time period and find more details on them.

...

Recommended Action

...

Sort the records by individual fields to see whether there can be seen any unusual patterns of login attempts.

 

...

  1. Log into the WSO2 Analytics -IS Management Console using the following URL.
    In the Main tab, click Analytics Dashboard, and log URL: https://<IS_ANALYTICS_HOST>:<ANALYTICS_PORT>/carbon/

  2. In the Main tab, click Analytics Dashboard. Log into the Analytics Dashboard by entering your credentials in the login dialog box that appears. The following dashboard is displayed by default.
    Screen Shot 2016-06-01 at 11.13.24 AM.pngImage RemovedImage Added
  3. Click View to

    Click View to open the IS Analytics dashboard.

    This

    The Security Analytics dashboard is displayed as shown in the example below.

ISScreen.pngImage Removed

By default Federated Identity Provider view is displayed in the home page. To view the Resident Identity Provider view, select Resident Identity Provider from the menu bar.

Home dashboard visualize the data in several dimensions for selected date range. Date range can be selected from the date range picker. On the other hand further drill down on specific date range can be achieved by drag selecting on the Login Attempts over time area chart. Filtrations for the dashboard  can be done by selecting bar chart items.

Analyzing Statistics for Federated Identity Providers

The statistics displayed in the Federated Identity Provider view includes the overall success and failure login attempts over time and the login attempts distribution over various dimensions such as  service providers, identity providers, users and first time service provider.

Login Attempts Over Time

 

 

...

View

(Example)

...

Image Removed

...

Description

...

This indicates the total number of login attempts during the selected period of time and the rate of success and failure within the same period.

...

Purpose

...

This allows you to identify the login attempts handled by IS over time in order to understand the patterns of login attempts and any unusual occurrences that have taken place during that time. (eg: attacks, system downtime)

...

Recommended Action

...

Check the success and failure patterns of login attempts.

 

Login Attempts Distribution Over Top 10 Service Providers

 

...

View

(Example)

...

Image Removed

...

Description

...

This indicates the login success attempts and login failure attempts distribution over top 10 service providers during the selected period of time.

...

Purpose

...

This allows you to identify what are the service providers accessed mostly and any unusual occurrences with regard to accessing particular service providers.

...

Recommended Action

...

Click on the bars corresponding to different service providers to view the login success and failure attempts filtered by the selected service provider.

Login Attempts Distribution Over Top 10 Identity Providers

 

...

View

(Example)

...

Image Removed

...

Description

...

This indicates the login success attempts and login failure attempts distribution over the federated identity providers during the selected period of time.

...

Purpose

...

This allows you to identify the login attempts corresponding to different federated identity providers and any unusual patterns with regard to particular identity provider.

...

Recommended Action

...

  • Click on the bars corresponding to different identity providers to view the login success and failure attempts filtered by the selected identity provider.

  • Click on the Resident Identity Provider link to go to the resident identity provider view.

 

Login Attempts Distribution Over Top 10 Users

 

...

View

(Example)

...

Image Removed

...

Description

...

This indicates the login success attempts and login failure attempts distribution over the users during the selected period of time.

...

Purpose

...

This allows you to identify the top users who attempted to login and any unusual attempts done by particular users.

...

Recommended Action

...

Click on the bars corresponding to different users to view the login success and failure attempts filtered by the selected user.

 

Login Attempts Distribution Over First Time Login Service Providers

 

...

View

(Example)

...

Image Removed

...

Description

...

This indicates the login success attempts distribution over the first time login service provider during the selected period of time.

...

Purpose

...

This allows you to identify what are the service providers accessed for the first time login and any unusual occurrences with regard to accessing particular service providers.

...

Recommended Action

...

Click on the bars corresponding to different service providers to view the login success and failure attempts filtered by the selected service provider.

 

Data Table

 

...

View

(Example)

...

Selection_062.pngImage Removed

...

Description

...

This provides you a list view of login attempts during the selected time period sort by username by default. You have options to sort by other fields as well. Details including username, service provider, identity provider, IP are displayed for each login attempt.

...

Purpose

...

This allows you to identify the individual login attempts done during the selected time period and find more details on them.

...

Recommended Action

...

Sort the records by individual fields to see whether there can be seen any unusual patterns of login attempts.

 

  1. Image Added

    This page displays a summary of overall login attempts, local login attempts and federated login attempts as shown above.

  2. If you want to view information relating to overall login attempts, click OVERALL in the left navigator to open the page with the relevant statistics. The same page can be opened by clicking See More under Overall Login Attempts. For detailed information about analyzing overall login attempts, see Analyzing Statistics for Overall Login Attempts.
  3. If you want to view information relating to local identity providers, click LOCAL in the left navigator. The same page can be opened by clicking See More under Local Login Attempts. For detailed information about analyzing local login attempts, see Analyzing Statistics for Local Login Attempts.
  4. If you want to view information relating to federated identity providers, click FEDERATED under the LOGIN ATTEMPTS in the left navigator. The same page can be opened by clicking See More under Federated Login Attempts. For detailed information about analyzing federated login attempts, see Analyzing Statistics for Federated Login Attempts.
  5. If you want to view information relating to sessions, click SESSIONS in the left navigator. For detailed information about analyzing sessions, see Analyzing Statistics for Sessions.

Using the Security Analytics dashboard
Anchor
Common Functions
Common Functions

The following sections explain common functions of the Security Analytics dashboard.

Viewing statistics for a selected time interval

At any given time, each page in the dashboard displays the statistics for a selected time interval.

  • If you want to view statistics for a pre-defined time interval, click on the relevant time interval (e.g., Last 24 Hours).
    Image Added
  • If you want to define a custom time interval, click Custom and select the start and end dates of the required time interval in the calendar that appears. Then click Apply.
    Image Added
Info

When you select Last Hour as the time interval for which statistics are to be displayed, all the gadgets except data tables are updated in about 1 minute. When the time interval selected is greater than one hour, the same gadgets are updated in 5 minutes. This is because the relevant Spark scripts need to be executed in order to update the gadgets.

The data tables in each page are updated instantly.

 

Working with filters

The Security Analytics dashboard allows you to add filters that allow you to update multiple gadgets in a given page to display information relating to a selected criteria.

Info

A filter can be added only to gadgets with a Search field together with the Add Filter button.

  1. Access the Security Analytics dashboard as explained under Accessing the Security Analytics dashboards.
  2. Click Local in the left navigator to open the page displaying statistics for local login attempts.
  3. In the Search field on the By Role gadget, enter admin and then click Add Filter as demonstrated below.
    Image Added 
    This results in all the gadgets in the page except the By Role gadget (to which the filter was added) being updated to display only information relating to the admin role. 
  4. To remove a filter already applied to a filter, click the close (i.e. x) sign in the relevant Search field as shown below.
    Image Added