In today’s digital landscape, cybersecurity is a top priority for businesses. Unauthorized access attempts, brute-force attacks, and unusual login behaviors are common threats that IT security teams must monitor. In this article, I’ll guide you through creating a threat detection system using SQL and Tableau, allowing you to analyze login patterns and detect suspicious activities.

Step 1: Collecting and Storing Security Logs

Generating Synthetic Event Logs

For this exercise, I created a synthetic event log containing login attempts, user activities, IP addresses, and device information. The dataset includes records of successful logins, failed logins, and brute-force attempts.

Storing Data in MySQL
To analyze this data, I created a MySQL database called cybersecurity_logs and imported the dataset.

Step 2: Threat Detection Using SQL
Once the data is in MySQL, I ran threat detection queries to identify unauthorized access attempts.

1. Detecting Users with Too Many Failed Logins
To find users with more than 5 failed login attempts.

2. Identifying Brute Force Attacks
Brute-force attacks involve repeated failed logins from the same IP. To detect IPs with more than 10 failed attempts.

3. Detecting Suspicious Logins from Multiple Locations
If a user logs in from different locations in a short period, it could indicate account compromise.

Step 3: Visualizing Cybersecurity Data in Tableau
With the SQL queries providing insights, I imported the data into Tableau to create interactive visualizations.

1. Bar Chart: Users with the Most Failed Logins
This helps identify accounts under attack.

Drag Username to Columns.
Drag Event Type to Filters, selecting only “Failed Login”.
Drag ID to Rows and set aggregation to COUNTD(ID).
Sort in descending order to see the most attacked users.

2. Map: Login Attempts by Location
 This highlights login locations and detects unauthorized access.

Drag Location to Columns.
Drag ID to Rows and set aggregation to COUNT(ID).
Filter Event Type to “Login Success”.
Select a Map Chart and adjust color intensity.
3. Line Chart: Failed Logins Over Time
This reveals attack trends and spikes in login attempts.

Drag Timestamp to Columns.
Drag ID to Rows and set aggregation to COUNT(ID).
Filter Event Type to “Failed Login”.
Choose a Line Chart and add a trendline.

Step 4: Fixing Unknown Geographic Locations in Tableau
When I first plotted the “Location” field in Tableau, some cities were missing. Tableau marked them as “Unknown”. Here’s how I fixed it:

Right-click Location → “Geographic Role” → “City”.
Clicked “Edit Locations” and manually corrected unrecognized city names.
Added a “Country” column in my dataset to improve location accuracy.

Conclusion
With this SQL + Tableau solution, I can now:

Detect brute-force attacks in real time.
Monitor suspicious login activity visually.
Improve security monitoring for organizations.

Visit my Tableau profile.