Use case

Log Workspaces allows you to bring in log data to analyze login attempts and audit access to electronic protected health information (e-PHI). To start monitoring and identifying failed login attempts, using Workspaces’ flexible querying and visualization options by following these steps.

Setup

This guide assumes that you are:

  • Submitting logs to Datadog for a similar use case.
  • Able to create a workspace and add cells.

1. Bring in your data source

To get started, bring in the logs from the service(s) you want to analyze.

  1. Create a new Workspace.
  2. Select Logs Query as your data source.

2. Query for failed logins

To search for failed login attempts, which might indicate unauthorized attempts to access e-PHI, set up your logs query to filter for these events. An example query might include filtering by an event outcome code that signifies failure.

Example workspace query to find failed login attempts

You can add any additional filters, facets, or attributes to narrow your search based on your requirements and what is available in your logs.

3. Count failed logins by user ID

To analyze the data further, you can count the number of failed login attempts by user ID and sort the results. This is helpful for identifying users with repeated failed login attempts, which may require further investigation.

  1. Add an Analysis cell to your workspace.
  2. Run a SQL query.
    SELECT * FROM failed_logins
    
    Analysis cell with query to count the number of failed logins

4. Visualize failed logins over time

To get a clearer picture of when failed logins are occurring, you can create a timeline or Timeseries visualization.

  1. Add a Visualization cell.
  2. Choose Timeseries from the “Visualize as” dropdown.
  3. Configure the graph to display the number of failed login attempts over time, using your query results as the data source.

Further reading

Additional helpful documentation, links, and articles:

PREVIEWING: piotr_wolski/update-dsm-docs