Does anyone have a query or method for producing a list of all applications accessed by specific people within a certain time frame?
What is this in the context of? What kind of applications? Do you mean apps on a server? Or local applications running such as MS Office on a laptop?
David
Hi David,
Thank you for your reply. I am referring to mainly local applications. I believe I already have access to cloud applications.
Cameron
So you would be selecting the Process Start Events under Endpoint Activity, and then you can search for the relevant process names, you may need to rely on hostnames rather than user names though, as process starts are not attributed to users (some process start events will show the user information but not all guaranteed)
For example
where("process.name" ICONTAINS "chrome")groupby("process.username")
Also you could use
where("process.name" ICONTAINS "chrome" and "hostname" IIN ["EC2AMAZ-GSAN2OH","1234","5678"])groupby("hostname","process.username")
To filter for specific hostnames, and groupby the hostname to visualize it.
Note the default group limit is 40, you can increase that up to 20,0000 like so
where("process.name" ICONTAINS "chrome" and "hostname" IIN ["EC2AMAZ-GSAN2OH","1234","5678"])groupby("hostname","process.username")limit(20000)
Thank you David, I really appreciate the help.
So the process is that you would have to individually search for each application separately and there isn’t a way to produce a list of all access applications?
The way I structured the query you could list out the names, IIN takes a list of values which could be all of the applications, you can also leverage log search variables see here Use Variables in Queries | InsightIDR Documentation