Analytics
The Audit Service provides analytics capabilities through the AuditAnalyticsController and AuditAnalyticsService. These endpoints deliver dashboard metrics, time-series data, access pattern analysis, user behavior analysis, and anomaly detection for audit events.
Dashboard Metrics
Endpoint: GET /api/v1/audit/analytics/tenants/:tenantId/dashboard
Returns a summary of key audit metrics for a tenant, including total events, event counts by type, severity distribution, top actors, and top resources.
curl http://localhost:8086/api/v1/audit/analytics/tenants/550e8400-e29b-41d4-a716-446655440000/dashboard \
-H "Authorization: Bearer ${TOKEN}"Time Series Data
Endpoint: GET /api/v1/audit/analytics/tenants/:tenantId/time-series
Returns event counts grouped by time intervals for charting.
| Parameter | Type | Default | Description |
|---|---|---|---|
start | Instant | 7 days ago | Start time (ISO-8601) |
end | Instant | now | End time (ISO-8601) |
granularity | TimeGranularity | HOUR | Grouping interval: MINUTE, HOUR, DAY, WEEK, MONTH |
curl "http://localhost:8086/api/v1/audit/analytics/tenants/550e8400/time-series?granularity=DAY&start=2026-02-01T00:00:00Z" \
-H "Authorization: Bearer ${TOKEN}"Access Pattern Analysis
Endpoint: GET /api/v1/audit/analytics/tenants/:tenantId/access-patterns
Analyzes access patterns within a time range, identifying peak activity periods, most-accessed resources, and common action sequences.
| Parameter | Type | Default | Description |
|---|---|---|---|
start | Instant | 7 days ago | Start time |
end | Instant | now | End time |
User Behavior Analysis
Endpoint: GET /api/v1/audit/analytics/tenants/:tenantId/users/:actorId/behavior
Analyzes the behavior of a specific user over time, including activity patterns, resource access frequency, and deviation from baseline behavior.
| Parameter | Type | Default | Description |
|---|---|---|---|
start | Instant | 30 days ago | Start time |
end | Instant | now | End time |
curl "http://localhost:8086/api/v1/audit/analytics/tenants/550e8400/users/660e8400/behavior" \
-H "Authorization: Bearer ${TOKEN}"Anomaly Detection
Endpoint: GET /api/v1/audit/analytics/tenants/:tenantId/anomalies
Detects anomalous patterns in audit events by comparing current activity against established baselines. The service tracks:
- Unusual login times or locations
- Spikes in data access volume
- Access to resources outside normal patterns
- Elevated error rates
- Rate limit violations
curl http://localhost:8086/api/v1/audit/analytics/tenants/550e8400/anomalies \
-H "Authorization: Bearer ${TOKEN}"Recalculate Baseline
Endpoint: POST /api/v1/audit/analytics/tenants/:tenantId/baseline/recalculate
Manually triggers a baseline recalculation for the tenant. Baselines are used as the reference for anomaly detection.
curl -X POST http://localhost:8086/api/v1/audit/analytics/tenants/550e8400/baseline/recalculate \
-H "Authorization: Bearer ${TOKEN}"Analytics Data Flow
Audit Events (PostgreSQL)
|
v
AuditAnalyticsService
|
+-----+-----+-----+
| | | |
v v v v
Dashboard Time Access Anomaly
Metrics Series Patterns DetectionThe analytics service queries PostgreSQL directly using aggregate queries against the audit_events table. The database indexes on tenant_id, created_at, actor_id, and resource_type, resource_id support efficient analytics queries.