Session analytics reviewed quarterly

ab-001464 · finserv-session-security.session-lifecycle.session-analytics-reviewed

Severity: infoactive

Why it matters

Session security controls only work if their efficacy is monitored. Without quarterly review of session analytics — login frequency, timeout event rates, concurrent session warnings, suspicious activity triggers — patterns that signal active attacks or policy drift go undetected for months. PCI-DSS Req 10.7 requires review of security logs and events on a regular schedule. NIST 800-63B AU-6 mandates log analysis. A spike in timeout events might indicate session hijacking attempts keeping a stolen session alive; a drop in concurrent-session warnings might mean the control stopped firing. Quarterly reviews convert raw session data into actionable security posture assessments.

Severity rationale

Info severity because the lack of a review schedule does not disable any session security control, but it ensures that control failures, attack patterns, and policy drift remain invisible until a breach forces a retrospective investigation.

Remediation

Create a session analytics endpoint at src/app/api/admin/session-analytics/route.ts and schedule a calendar review quarterly:

export async function GET() {
  const since = new Date(Date.now() - 90 * 24 * 60 * 60 * 1000); // 90 days
  const analytics = await db.sessionEvents.groupBy({
    by: ['event'],
    where: { timestamp: { gte: since } },
    _count: true
  });
  return Response.json(analytics);
}

Track at minimum: login count, logout count, timeout events, extension events, and concurrent-session warnings. Schedule a recurring calendar item every 90 days with a checklist item to pull this endpoint and document findings — the review record itself is the audit artifact PCI-DSS Req 10.7 requires.

Detection

ID: session-analytics-reviewed
Severity: info
What to look for: Count all session analytics dashboards, reports, or review records. Quote the actual review date or schedule found. Verify at least 1 review exists within the past 90 days (quarterly). Enumerate the metrics tracked (concurrent sessions, timeout events, suspicious activity).
Pass criteria: At least 1 session analytics dashboard or report exists, AND at least 1 review record is dated within the past 90 days. Count all metrics tracked — at least 3 session metrics must be monitored. Report the count even on pass (e.g., "1 analytics endpoint, last review 2026-01-15, 4 metrics: logins, timeouts, concurrent, suspicious").
Fail criteria: No dashboard or metrics (0 analytics endpoints), or no review within 90 days, or fewer than 3 metrics tracked.
Skip (N/A) when: The application is not subject to regular security reviews — cite the actual compliance context found.
Detail on fail: "0 session analytics dashboards found — no session activity monitoring" or "Dashboard exists but 0 review records within 90 days"

Remediation: Create a session analytics dashboard and schedule quarterly reviews (in src/app/api/admin/session-analytics/route.ts):

// app/api/admin/session-analytics.ts
export async function GET() {
  const last90Days = new Date(Date.now() - 90 * 24 * 60 * 60 * 1000);
  const analytics = await db.sessionEvents.groupBy({
    by: ['event'],
    where: { timestamp: { gte: last90Days } },
    _count: true
  });
  return Response.json(analytics);
}
// Schedule quarterly review in calendar/ticketing system

External references

nist:rev5 · AU-6 — Audit Record Review, Analysis, and Reporting
pci-dss:4.0 · Req 10.7 — Failures of critical security controls detected and reported

Taxons

observability

History

2026-04-18·v1.0.0·Initial import from finserv-session-security·automated

Why it matters

Remediation

Create a session analytics endpoint at src/app/api/admin/session-analytics/route.ts and schedule a calendar review quarterly:

export async function GET() {
  const since = new Date(Date.now() - 90 * 24 * 60 * 60 * 1000); // 90 days
  const analytics = await db.sessionEvents.groupBy({
    by: ['event'],
    where: { timestamp: { gte: since } },
    _count: true
  });
  return Response.json(analytics);
}

Detection

ID: session-analytics-reviewed
Severity: info
What to look for: Count all session analytics dashboards, reports, or review records. Quote the actual review date or schedule found. Verify at least 1 review exists within the past 90 days (quarterly). Enumerate the metrics tracked (concurrent sessions, timeout events, suspicious activity).
Pass criteria: At least 1 session analytics dashboard or report exists, AND at least 1 review record is dated within the past 90 days. Count all metrics tracked — at least 3 session metrics must be monitored. Report the count even on pass (e.g., "1 analytics endpoint, last review 2026-01-15, 4 metrics: logins, timeouts, concurrent, suspicious").
Fail criteria: No dashboard or metrics (0 analytics endpoints), or no review within 90 days, or fewer than 3 metrics tracked.
Skip (N/A) when: The application is not subject to regular security reviews — cite the actual compliance context found.
Detail on fail: "0 session analytics dashboards found — no session activity monitoring" or "Dashboard exists but 0 review records within 90 days"

Remediation: Create a session analytics dashboard and schedule quarterly reviews (in src/app/api/admin/session-analytics/route.ts):

// app/api/admin/session-analytics.ts
export async function GET() {
  const last90Days = new Date(Date.now() - 90 * 24 * 60 * 60 * 1000);
  const analytics = await db.sessionEvents.groupBy({
    by: ['event'],
    where: { timestamp: { gte: last90Days } },
    _count: true
  });
  return Response.json(analytics);
}
// Schedule quarterly review in calendar/ticketing system