Behavior Analytics

Local plugins ::: local_behavioranalytics
Maintained by Christopher Reimann
Detects unusual or risky user behaviour in Moodle — such as failed logins, impossible travel, unusual login hours, or rapid activity bursts — and triggers automated mitigation actions (e.g. suspend account, kill sessions, notify admins).
Latest release:
2 sites
25 downloads
2 fans
Current versions available: 1
Download

🧠 Behaviour Analytics for Moodle

Behaviour Analytics helps administrators detect and respond to unusual or risky user activity in Moodle.
It continuously analyses login patterns, activity rates, and geographic access data to identify potential security issues or compromised accounts — all while respecting Moodle’s privacy standards.

🔍 What it does

The plugin monitors Moodle’s activity logs and computes a behavioural risk score for each user based on multiple detectors:

  • Failed Logins – detects multiple consecutive failed login attempts, flagging potential brute-force attacks.

  • Unusual Login Time – highlights users active at atypical hours (e.g., late-night logins).

  • IP Velocity – detects “impossible travel” between distant IP addresses.

  • Activity Burst – flags unusually rapid activity bursts suggesting automation or account misuse.

Each rule contributes to a weighted risk score, giving administrators a clear picture of who might need attention.

🚨 Mitigation Actions

When a user’s risk score exceeds the configured threshold, the system can automatically:

  • Inform administrators via Moodle messages (with built-in duplicate suppression).

  • Suspend the user account to prevent further access.

  • Kill all active sessions immediately.

Administrators can choose which actions to enable and adjust thresholds to match their security posture.

⚙️ Configuration and Reporting

A central configuration interface lets you:

  • Select which detectors are active and their weights.

  • Choose a scoring strategy (weighted mean, cumulative sum, or max rule).

  • Review top-risk users under Site administration → Reports → Behaviour Analytics.

  • Inspect detailed per-user findings, showing how each detector contributed to the overall score.

🔒 Privacy-Respecting by Design

  • Fully implements Moodle’s Privacy API.

  • Stores only aggregated risk profiles — never raw log data.

  • Compliant with GDPR and Moodle’s data-handling standards.

🧩 Technical Highlights

  • Modular architecture for adding new detectors or actions.

  • Comprehensive PHPUnit test suite for all components.

  • Lightweight scheduled task system — minimal performance impact.

  • Compatible with Moodle 5.x.

License: GPL v3+

Useful links

Source control URL
Bug tracker

Screenshots

Screenshot #0
Screenshot #1
Screenshot #2

Contributors

Christopher Reimann (Lead maintainer)
View other contributions
Please login to view contributors details and/or to contact them

Awards

Automated testing support
Automated testing support
Privacy friendly
Privacy friendly

Comments

Show comments
Please login to post comments