We discussed techniques for request chaining here:  https://www.blogger.com/blogger.g?blogID=1985795500472842279#editor/target=post;postID=859017183586117344;onPublishedMenu=allposts;onClosedMenu=allposts;postNum=0;src=link
We were looking at some of the search queries that are typical of searching the logs of identity provider: 
Some other interesting events for identity include

5)  – failed attempt to login to a disabled account 

Here we look for all failed login events and filter out those that have been due to a disabled account. We do this for a given time range and then we count the events based on attributes such as those belonging to a specific account 

6) Failed versus successful logon attempts – While there may be counters for failed versus successful logon attempts globally, it requires to scan the logs for individual accounts. Here we find all the requests associated with the customer and then we filter out the ones that are logon attempts and for each logon attemps we find the corresponding success or failure response by following the sequence of requests from each such starting request. Then we split the failure versus success counts 

7) Getting a list of concurrent users – Generally this requires a time-frame where the associated  events are collected and then they are processed for detecting active distinct sessions or customers – either of which may serve the purpose. Again we filter the requests to see who have not signed out and then count it. 

8) Success rate of workflows – An identity provider may have some common use cases such as register account, sign in, change account details and forgot password. The number of failures encountered in each workflow on a customer by customer count may also indicate a form of success rate because the total number of customers calling in a 24 hour period is an easy aggregation.