Session analytics reviewed quarterly

Why it matters

Session security controls only work if their efficacy is monitored. Without quarterly review of session analytics — login frequency, timeout event rates, concurrent session warnings, suspicious activity triggers — patterns that signal active attacks or policy drift go undetected for months. PCI-DSS Req 10.7 requires review of security logs and events on a regular schedule. NIST 800-63B AU-6 mandates log analysis. A spike in timeout events might indicate session hijacking attempts keeping a stolen session alive; a drop in concurrent-session warnings might mean the control stopped firing. Quarterly reviews convert raw session data into actionable security posture assessments.

Remediation

Create a session analytics endpoint at src/app/api/admin/session-analytics/route.ts and schedule a calendar review quarterly:

export async function GET() {
  const since = new Date(Date.now() - 90 * 24 * 60 * 60 * 1000); // 90 days
  const analytics = await db.sessionEvents.groupBy({
    by: ['event'],
    where: { timestamp: { gte: since } },
    _count: true
  });
  return Response.json(analytics);
}

Track at minimum: login count, logout count, timeout events, extension events, and concurrent-session warnings. Schedule a recurring calendar item every 90 days with a checklist item to pull this endpoint and document findings — the review record itself is the audit artifact PCI-DSS Req 10.7 requires.

Detection

ID: finserv-session-security.session-lifecycle.session-analytics-reviewed
Severity: info
What to look for: Count all session analytics dashboards, reports, or review records. Quote the actual review date or schedule found. Verify at least 1 review exists within the past 90 days (quarterly). Enumerate the metrics tracked (concurrent sessions, timeout events, suspicious activity).
Pass criteria: At least 1 session analytics dashboard or report exists, AND at least 1 review record is dated within the past 90 days. Count all metrics tracked — at least 3 session metrics must be monitored. Report the count even on pass (e.g., "1 analytics endpoint, last review 2026-01-15, 4 metrics: logins, timeouts, concurrent, suspicious").
Fail criteria: No dashboard or metrics (0 analytics endpoints), or no review within 90 days, or fewer than 3 metrics tracked.
Skip (N/A) when: The application is not subject to regular security reviews — cite the actual compliance context found.
Detail on fail: "0 session analytics dashboards found — no session activity monitoring" or "Dashboard exists but 0 review records within 90 days"

Remediation: Create a session analytics dashboard and schedule quarterly reviews (in src/app/api/admin/session-analytics/route.ts):

// app/api/admin/session-analytics.ts
export async function GET() {
  const last90Days = new Date(Date.now() - 90 * 24 * 60 * 60 * 1000);
  const analytics = await db.sessionEvents.groupBy({
    by: ['event'],
    where: { timestamp: { gte: last90Days } },
    _count: true
  });
  return Response.json(analytics);
}
// Schedule quarterly review in calendar/ticketing system

Why it matters

Remediation

Create a session analytics endpoint at src/app/api/admin/session-analytics/route.ts and schedule a calendar review quarterly:

export async function GET() {
  const since = new Date(Date.now() - 90 * 24 * 60 * 60 * 1000); // 90 days
  const analytics = await db.sessionEvents.groupBy({
    by: ['event'],
    where: { timestamp: { gte: since } },
    _count: true
  });
  return Response.json(analytics);
}

Detection

ID: finserv-session-security.session-lifecycle.session-analytics-reviewed
Severity: info
What to look for: Count all session analytics dashboards, reports, or review records. Quote the actual review date or schedule found. Verify at least 1 review exists within the past 90 days (quarterly). Enumerate the metrics tracked (concurrent sessions, timeout events, suspicious activity).
Pass criteria: At least 1 session analytics dashboard or report exists, AND at least 1 review record is dated within the past 90 days. Count all metrics tracked — at least 3 session metrics must be monitored. Report the count even on pass (e.g., "1 analytics endpoint, last review 2026-01-15, 4 metrics: logins, timeouts, concurrent, suspicious").
Fail criteria: No dashboard or metrics (0 analytics endpoints), or no review within 90 days, or fewer than 3 metrics tracked.
Skip (N/A) when: The application is not subject to regular security reviews — cite the actual compliance context found.
Detail on fail: "0 session analytics dashboards found — no session activity monitoring" or "Dashboard exists but 0 review records within 90 days"

Remediation: Create a session analytics dashboard and schedule quarterly reviews (in src/app/api/admin/session-analytics/route.ts):

// app/api/admin/session-analytics.ts
export async function GET() {
  const last90Days = new Date(Date.now() - 90 * 24 * 60 * 60 * 1000);
  const analytics = await db.sessionEvents.groupBy({
    by: ['event'],
    where: { timestamp: { gte: last90Days } },
    _count: true
  });
  return Response.json(analytics);
}
// Schedule quarterly review in calendar/ticketing system

Session analytics reviewed quarterly

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

Session analytics reviewed quarterly

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History