Skip to main content
Glama
AIops-tools

endpoint-aiops-mcp

by AIops-tools

login_storm_analysis

Detect login storms and rank slow login and boot contributors. Analyzes concurrent logins and flags sessions that exceed defined duration thresholds.

Instructions

[READ] Detect login storms + rank the slowest login/boot contributors.

Answers "is this a morning login storm, and which endpoints/users are dragging login and boot times?" Groups logins into storm episodes (>= min_concurrent within a window_s sliding window) and flags sessions slower than the thresholds — every flag is reported with its number, not a verdict. Pass 'sessions' for pure analysis, or a target to pull live via session_list.

Args: since_hours: Live look-back window when sessions is omitted (default 24). window_s: Sliding window that defines "concurrent" logins (default 300). min_concurrent: Logins within a window that constitute a storm (default 10). slow_login_ms: Login duration (ms) flagged as slow (default 30000). slow_boot_ms: Boot duration (ms) flagged as slow (default 90000). sessions: Injected session records — {endpoint, user, login_ms, boot_ms, timestamp (ISO-8601), result}; skips live collection. target: Endpoint-management target name from config; omit for the default.

Returns dict: {totalSessions, stormCount, storms:[{start, end, count, peakConcurrent, spanS, distinctUsers, distinctEndpoints, avgLoginMs}], slowLoginCount, slowestByLogin[], slowestByBoot[], failedLogins, thresholds}.

Example: login_storm_analysis(sessions=[{"endpoint":"tc01","user":"a", "login_ms":42000,"timestamp":"2026-07-12T08:00:00Z"}, ...]).

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
targetNo
sessionsNo
window_sNo
since_hoursNo
slow_boot_msNo
slow_login_msNo
min_concurrentNo
Behavior4/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

No annotations are provided, so the description carries full burden. It clearly marks the tool as READ by starting with '[READ]'. It describes what the tool does (detects storms, flags slow sessions) and what it returns (dict with fields). It does not mention any destructive side effects, and no contradictions arise.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness4/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is well-structured with a concise opening line, a guiding question, parameter list, return value description, and example. It is front-loaded with key purpose. Slightly verbose but every sentence adds value for a complex tool.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness5/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the complexity (7 params, no output schema, 0% schema coverage), the description is complete. It covers purpose, parameter semantics, return structure, and provides an example. The agent can fully understand how to invoke and interpret results.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters5/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema description coverage is 0%, but the description provides thorough parameter explanations for all 7 parameters, including defaults (e.g., 'default 24'), units (ms, s), and behavior (e.g., 'Pass sessions for pure analysis'). This adds significant meaning beyond the bare schema.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool's purpose: 'Detect login storms + rank the slowest login/boot contributors.' It specifies the action (detect and rank) and the resource (login storms and slow contributors), and distinguishes it from sibling tools like 'session_list' or 'endpoint_list' by focusing on storm analysis.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines4/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description provides explicit context for when to use: 'Answers is this a morning login storm...' It also gives guidance on input options: 'Pass sessions for pure analysis, or a target to pull live via session_list.' However, it does not explicitly state when NOT to use or name alternative tools for different scenarios.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/AIops-tools/Endpoint-AIops'

If you have feedback or need assistance with the MCP directory API, please join our Discord server