Your workforce is fully remote. To ensure network security, you want to report on how many successful logins to your VPN there were over certain time periods each day.
Run the following search. You can optimize it by specifying a time range.
| tstats prestats=t count FROM datamodel=Authentication WHERE index=main OR index=firewall BY _time Authentication.action span=1h | timechart span=1d count BY Authentication.action | eval "Success Rate %" = round(success/(success+failure)*100,2) | rename failure AS "Failure", success AS "Success"
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
|| tstats prestats=t count FROM datamodel=Authentication WHERE (index=main OR index=firewall) BY _time Authentication.action span=1h||
Search the main and firewall indexes for authentication actions and group the results in one-hour increments. Set
|| timechart span=1d count BY Authentication.action||Create a chart that shows the count of authentications bucketed into one day increments.|
|| eval "Success Rate %" = round(success/(success+failure)*100,2)||Calculate the percentage of total successful logins, rounded to two decimals.|
|| rename failure AS "Failure", success AS "Success"||Rename the fields as shown for better readability.|
This search returns a table and chart of successful VPN logins each day over the specified time frame. Correlate this information with the results of other searches to determine what is normal or anomalous activity on your network.
Finally, you might be interested in other processes associated with the Securing a work-from-home organization use case.