Skip to main content
Splunk Lantern

Most commonly accessed business applications

Your workforce is fully remote. To ensure network security, you want to report on what applications users are accessing most over certain time periods each day.

Required data

Authentication data, normalized to the Authentication data Common Information Model (CIM). For information on installing and using the CIM, see the Common Information Model documentation.

Procedure

Run the following search. You can optimize it by specifying a time range​​​​​​​.

| tstats prestats=t dc(Authentication.user) FROM datamodel=Authentication WHERE (index=main OR index=firewall) nodename=Authentication.Successful_Authentication BY Authentication.app sourcetype
| where 'Authentication.app'!=sourcetype
| timechart useother=false limit=10 span=1h dc(Authentication.user) AS unique_users BY Authentication.app

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
| tstats prestats=t dc(Authentication.user) FROM datamodel=Authentication WHERE  (index=main OR index=firewall)  nodename=Authentication.Successful_Authentication BY Authentication.app sourcetype
 

Search the main and firewall indexes for authentication actions and group the results by application. Set prestats to true so the results can be sent to a chart.

| where 'Authentication.app'!=sourcetype Filter results to remove those where the application involved in the event is a sourcetype.
| timechart useother=false limit=10 span=1h dc(Authentication.user) AS unique_users BY Authentication.app

Create a chart that shows the 10 most accessed applications in your organization on an hourly basis, without bucketing the remaining into an "other" category. Calculate a user count for each.

If you want to see only single most accessed application, replace this line of the search with:
| stats dc(Authentication.user) AS unique_users BY Authentication.app
| sort 1 - unique_users

Next steps

This search highlights the most accessed applications on your network over the specified time frame. Correlate this information with the results of other searches to determine what is normal or anomalous activity on your network. 

Finally, you might be interested in other processes associated with the Securing a work-from-home organization use case.