Skip to content
IntelliAuth

Reports overview

The Reports surface is the platform's "I want a structured view of X across N days" surface. Pre-built reports cover the everyday questions; you build custom reports for anything else.

Six categories

Section titled “Six categories”

Reports are grouped by audience:

  • Security — sign-in failures, brute-force events, breach-incident matches, threat-feed hits, anomalous sessions.
  • Identity — user signups, MFA enrolment rate, factor distribution, password reset rate.
  • Applications — sign-ins per application, scope-usage distribution, application activity over time.
  • Operations — flow run rates, action failure rates, webhook delivery health.
  • Compliance — GDPR-erasure events, audit-log retention status, policy-change history.
  • Custom — reports you build with the report builder.

Each report has filters (time range, application, user group, etc.) and visualisations (charts, tables, KPIs).

When to use Reports vs Audit

Section titled “When to use Reports vs Audit”

Audit is for "show me every event"; Reports is for "summarise / chart over time".

Roughly:

  • "Why did sign-in fail at 14:00 yesterday?" — Audit. Drill into the specific event.
  • "What's our sign-in failure rate week-over-week?" — Reports → Security → Sign-in failures over time.
  • "How many users enrolled MFA last quarter?" — Reports → Identity → MFA enrolment over time.
  • "Show me every action this admin took in March" — Audit. Reports doesn't filter to per-actor.

Reports are statistical summaries; Audit is the underlying truth.

Run a report

Section titled “Run a report”

Reports → pick a category → pick a report → set filters → Run.

The report renders inline. Most are sub-second; a few that cross the whole audit corpus may take a few seconds.

You can:

  • Refresh — re-run with current data.
  • Export — CSV or JSON for downstream use (a spreadsheet, your BI tool).
  • Schedule — email the report to a list on a cadence (daily / weekly / monthly).
  • Favourite — save as a quick-access from the sidebar. See Favorite reports.

Pre-built reports

Section titled “Pre-built reports”

A handful of the most-used:

  • Sign-in success rate — % of attempts that complete, by application + by week.
  • MFA enrolment progress — % of users with at least one factor enrolled.
  • Top sign-in failure reasons — bar chart of the failure codes over the last 7 days.
  • Brute-force events — count + IPs over time.
  • Application traffic — sign-ins per application per day, sortable.
  • Policy change history — every admin.policy_updated event, with diff.
  • GDPR erasuresuser.deleted events with gdpr_mode: true.
  • Refresh-token reuse detections — events where the rotation defence caught a stolen token.

The full catalogue is in the Reports surface itself; the list grows over releases.

Custom reports

Section titled “Custom reports”

For "I want a report that's not in the catalogue":

Reports → Custom → New report. The report builder is a visual SQL-like surface:

  • Source — pick a data source (audit, users, applications, etc. — see Data sources).
  • Filters — narrow the source.
  • Group by — aggregate dimension.
  • Metric — count / sum / avg / etc.
  • Visualisation — chart type.

Save. The report appears in the Custom category. Share with teammates by exporting the report's definition; they import on their side.

Data freshness

Section titled “Data freshness”

Reports run against pre-aggregated materialised views, refreshed on a schedule:

  • High-frequency views (sign-ins, MFA events) — refreshed every 5 minutes.
  • Medium-frequency views (user lifecycle, applications) — every hour.
  • Daily-rollup views — once a day.

A report shows the freshness in the top-right corner ("data as of 14:23, 3 minutes ago"). For real-time data, use Audit + Read logs instead.

Per-tenant scope

Section titled “Per-tenant scope”

Reports are tenant-scoped. Cross-tenant rollups are in the CP admin console — see CP admin reports (when authored).

What's NOT exposed

Section titled “What's NOT exposed”

Some statistical / forensic queries the platform DOES NOT surface as reports:

  • Per-user patterns — "show me users with anomalous sign-in patterns". Privacy-sensitive; surfaced only via the user detail page's sign-in history.
  • Comparison to other tenants — "are we worse / better than average?" — the platform doesn't expose cross-tenant comparisons.
  • Predictive forecasts — "will MFA enrolment hit 100% by end of quarter?" — out of scope; build your own with the exported data if needed.