audit-analytics

Advanced analytics layer over your audit log. Runs z-score anomaly detection on actor behaviour, generates user activity heatmaps, and flags privileged actions for periodic review. Useful for SOC 2 Type II evidence and insider-threat detection without a full SIEM deployment.

Pro Plugin — ɳSelf+ membership required

The base nself-audit log capture is free. This plugin adds the analytics, anomaly detection, and review queue features that require ɳSelf+.

Install

# nself-audit (free) must be installed first
nself plugin install nself-audit
nself plugin install audit-analytics
nself build
nself start

Configuration

Variable	Required	Default	Description
`NSELF_AUDIT_ANALYTICS`	No	true	Enable the analytics service
`NSELF_AUDIT_ANOMALY_ZSCORE`	No	3.0	Z-score threshold above which an event is flagged as anomalous
`NSELF_AUDIT_HEATMAP_REFRESH`	No	3600	Seconds between heatmap materialized view refreshes
`NSELF_AUDIT_PRIVILEGED_REVIEW_TTL`	No	86400	Seconds before an unreviewed privileged action becomes overdue
`NSELF_AUDIT_ALERT_WEBHOOK`	No	—	Webhook URL to POST anomaly and overdue-review alerts
`NSELF_AUDIT_ALERT_EMAIL`	No	—	Email address for anomaly alert delivery
`AUDIT_ANALYTICS_PORT`	No	3714	Port for the analytics HTTP server

API reference

Endpoint	Method	Description
`/audit/analytics/anomalies`	GET	List detected anomalies with scores and actor context
`/audit/analytics/anomalies/:id`	GET / PATCH	Read or disposition an anomaly (acknowledged, false-positive, escalated)
`/audit/analytics/heatmap`	GET	User activity heatmap (actor × hour-of-week × action type)
`/audit/analytics/top-actors`	GET	Ranked list of most-active users by action count in a date range
`/audit/privileged-reviews`	GET	Privileged actions pending review
`/audit/privileged-reviews/:id`	POST	Submit a review disposition for a privileged action
`/audit/privileged-reviews/overdue`	GET	Actions that have exceeded the review TTL
`/audit/analytics/refresh`	POST	Manually trigger a heatmap view refresh
`/audit/analytics/status`	GET	Last refresh time, anomaly counts, and queue depth

Database tables

Table	Purpose
`np_audit_anomalies`	Detected anomalies with z-scores and disposition status
`np_audit_privileged_reviews`	Privileged actions pending human review with TTL tracking

Webhooks

Set NSELF_AUDIT_ALERT_WEBHOOK to receive POST requests for:

anomaly.detected — an actor's z-score exceeded the threshold
anomaly.reviewed — a reviewer set a disposition
privileged_review.overdue — a review exceeded its TTL

nself-audit: Base tamper-evident audit log (required)
siem: Forward events to Splunk, Datadog, or Elastic
compliance: Full compliance posture dashboard

Port: 3714 | Pro Plugin — ɳSelf+ | v1.0.0 | Ships: v1.1.0

audit-analytics

Pro Plugin — ɳSelf+ membership required

The base nself-audit log capture is free. This plugin adds the analytics, anomaly detection, and review queue features that require ɳSelf+.

Install

# nself-audit (free) must be installed first
nself plugin install nself-audit
nself plugin install audit-analytics
nself build
nself start

Configuration

Variable	Required	Default	Description
`NSELF_AUDIT_ANALYTICS`	No	true	Enable the analytics service
`NSELF_AUDIT_ANOMALY_ZSCORE`	No	3.0	Z-score threshold above which an event is flagged as anomalous
`NSELF_AUDIT_HEATMAP_REFRESH`	No	3600	Seconds between heatmap materialized view refreshes
`NSELF_AUDIT_PRIVILEGED_REVIEW_TTL`	No	86400	Seconds before an unreviewed privileged action becomes overdue
`NSELF_AUDIT_ALERT_WEBHOOK`	No	—	Webhook URL to POST anomaly and overdue-review alerts
`NSELF_AUDIT_ALERT_EMAIL`	No	—	Email address for anomaly alert delivery
`AUDIT_ANALYTICS_PORT`	No	3714	Port for the analytics HTTP server

API reference

Endpoint	Method	Description
`/audit/analytics/anomalies`	GET	List detected anomalies with scores and actor context
`/audit/analytics/anomalies/:id`	GET / PATCH	Read or disposition an anomaly (acknowledged, false-positive, escalated)
`/audit/analytics/heatmap`	GET	User activity heatmap (actor × hour-of-week × action type)
`/audit/analytics/top-actors`	GET	Ranked list of most-active users by action count in a date range
`/audit/privileged-reviews`	GET	Privileged actions pending review
`/audit/privileged-reviews/:id`	POST	Submit a review disposition for a privileged action
`/audit/privileged-reviews/overdue`	GET	Actions that have exceeded the review TTL
`/audit/analytics/refresh`	POST	Manually trigger a heatmap view refresh
`/audit/analytics/status`	GET	Last refresh time, anomaly counts, and queue depth

Database tables

Table	Purpose
`np_audit_anomalies`	Detected anomalies with z-scores and disposition status
`np_audit_privileged_reviews`	Privileged actions pending human review with TTL tracking

Webhooks

Set NSELF_AUDIT_ALERT_WEBHOOK to receive POST requests for:

anomaly.detected — an actor's z-score exceeded the threshold
anomaly.reviewed — a reviewer set a disposition
privileged_review.overdue — a review exceeded its TTL

nself-audit: Base tamper-evident audit log (required)
siem: Forward events to Splunk, Datadog, or Elastic
compliance: Full compliance posture dashboard

Port: 3714 | Pro Plugin — ɳSelf+ | v1.0.0 | Ships: v1.1.0

audit-analytics

Pro Plugin — ɳSelf+ membership required

Install

Configuration

API reference

Database tables

Webhooks

Related

audit-analytics

Pro Plugin — ɳSelf+ membership required

Install

Configuration

API reference

Database tables

Webhooks

Related