Analyze Login Attempts for e-PHI
Use case
Log Workspaces allows you to bring in log data to analyze login attempts and audit access to electronic protected health information (e-PHI). To start monitoring and identifying failed login attempts, using Workspaces’ flexible querying and visualization options by following these steps.
Setup
This guide assumes that you are:
- Submitting logs to Datadog for a similar use case.
- Able to create a workspace and add cells.
1. Bring in your data source
To get started, bring in the logs from the service(s) you want to analyze.
- Create a new Workspace.
- Select Logs Query as your data source.
2. Query for failed logins
To search for failed login attempts, which might indicate unauthorized attempts to access e-PHI, set up your logs query to filter for these events. An example query might include filtering by an event outcome code that signifies failure.
You can add any additional filters, facets, or attributes to narrow your search based on your requirements and what is available in your logs.
3. Count failed logins by user ID
To analyze the data further, you can count the number of failed login attempts by user ID and sort the results. This is helpful for identifying users with repeated failed login attempts, which may require further investigation.
- Add an Analysis cell to your workspace.
- Run a SQL query.
SELECT * FROM failed_logins
4. Visualize failed logins over time
To get a clearer picture of when failed logins are occurring, you can create a timeline or Timeseries visualization.
- Add a Visualization cell.
- Choose Timeseries from the “Visualize as” dropdown.
- Configure the graph to display the number of failed login attempts over time, using your query results as the data source.
Further reading
Additional helpful documentation, links, and articles: