login_storm_analysis
Detect login storms and rank slow login and boot contributors. Analyzes concurrent logins and flags sessions that exceed defined duration thresholds.
Instructions
[READ] Detect login storms + rank the slowest login/boot contributors.
Answers "is this a morning login storm, and which endpoints/users are dragging login and boot times?" Groups logins into storm episodes (>= min_concurrent within a window_s sliding window) and flags sessions slower than the thresholds — every flag is reported with its number, not a verdict. Pass 'sessions' for pure analysis, or a target to pull live via session_list.
Args: since_hours: Live look-back window when sessions is omitted (default 24). window_s: Sliding window that defines "concurrent" logins (default 300). min_concurrent: Logins within a window that constitute a storm (default 10). slow_login_ms: Login duration (ms) flagged as slow (default 30000). slow_boot_ms: Boot duration (ms) flagged as slow (default 90000). sessions: Injected session records — {endpoint, user, login_ms, boot_ms, timestamp (ISO-8601), result}; skips live collection. target: Endpoint-management target name from config; omit for the default.
Returns dict: {totalSessions, stormCount, storms:[{start, end, count, peakConcurrent, spanS, distinctUsers, distinctEndpoints, avgLoginMs}], slowLoginCount, slowestByLogin[], slowestByBoot[], failedLogins, thresholds}.
Example: login_storm_analysis(sessions=[{"endpoint":"tc01","user":"a", "login_ms":42000,"timestamp":"2026-07-12T08:00:00Z"}, ...]).
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| target | No | ||
| sessions | No | ||
| window_s | No | ||
| since_hours | No | ||
| slow_boot_ms | No | ||
| slow_login_ms | No | ||
| min_concurrent | No |