Most commonly accessed business applications
Your workforce is fully remote. To ensure network security, you want to report on what applications users are accessing most over certain time periods each day.
Authentication data, normalized to the Authentication data Common Information Model (CIM). For information on installing and using the CIM, see the Common Information Model documentation.
Run the following search. You can optimize it by specifying a time range.
| tstats prestats=t dc(Authentication.user) FROM datamodel=Authentication WHERE (index=main OR index=firewall) nodename=Authentication.Successful_Authentication BY Authentication.app sourcetype | where 'Authentication.app'!=sourcetype | timechart useother=false limit=10 span=1h dc(Authentication.user) AS unique_users BY Authentication.app
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
|| tstats prestats=t dc(Authentication.user) FROM datamodel=Authentication WHERE (index=main OR index=firewall) nodename=Authentication.Successful_Authentication BY Authentication.app sourcetype
Search the main and firewall indexes for authentication actions and group the results by application. Set
|| where 'Authentication.app'!=sourcetype||Filter results to remove those where the application involved in the event is a sourcetype.|
|| timechart useother=false limit=10 span=1h dc(Authentication.user) AS unique_users BY Authentication.app||
Create a chart that shows the 10 most accessed applications in your organization on an hourly basis, without bucketing the remaining into an "other" category. Calculate a user count for each.
If you want to see only single most accessed application, replace this line of the search with:
This search highlights the most accessed applications on your network over the specified time frame. Correlate this information with the results of other searches to determine what is normal or anomalous activity on your network.
Finally, you might be interested in other processes associated with the Securing a work-from-home organization use case.