Count Total Policy Events

Track the total number of policy-related events

This is a query example for the Policy events widget in the Summary Dashboard dashboard of the crowdstrike/siem-connector package.

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[/Filter/] 4{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> result
logscale
metadata.eventType = UserActivityAuditEvent
| metadata.customerIDString = *
| event.OperationName =~ in(values=["create_policy","update_policy","assign_policy","enable_policy","remove_policy","disable_policy","delete_policy","update_precedence"])
| count()

Introduction

This widget is used to count the total number of policy-related events across the system.

In this widget, the count() function is used to calculate the total number of policy-related events that match specific operation types.

Example incoming data might look like this:

@timestamp#repo#type@id@ingesttimestamp@timestamp.nanos@timezoneevent.AuditKeyValues[0].Keyevent.AuditKeyValues[0].Valueevent.AuditKeyValues[1].Valueevent.ComputerNameevent.OperationNameevent.UserIdmetadata.customerIDStringmetadata.eventCreationTimemetadata.eventType
2026-01-20T08:41:21auto-dashboard-queriessiem-connectorQTsJCoPniAANCCdKBxWdooCq_14_197_17688984812026-01-20T08:41:210ZAUD-9e3d5c8aChanged password expiration policy from 60 to 45 daysExported configuration backup of firewall cluster 'edge-fw-01'PROD-SQL01create_policybakermk1l2m3n4o5p6q7r8s9t01768898481267UserActivityAuditEvent

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[/Filter/] 4{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    metadata.eventType = UserActivityAuditEvent

    Filters events to include only user activity audit events where metadata.eventType equals UserActivityAuditEvent.

  3. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[/Filter/] 4{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> result style 2 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | metadata.customerIDString = *

    Ensures metadata.customerIDString exists by matching any value.

  4. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[/Filter/] 4{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> result style 3 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | event.OperationName =~ in(values=["create_policy","update_policy","assign_policy","enable_policy","remove_policy","disable_policy","delete_policy","update_precedence"])

    Filters for specific policy-related operations in the event.OperationName field, including policy creation, updates, assignments, enabling, removal, disabling, deletion, and precedence updates.

  5. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[/Filter/] 4{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> result style 4 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | count()

    Counts the total number of events that match the filter conditions, and returns the result in the default field _count.

  6. Event Result set.

Summary and Results

The widget is used to provide a total count of all policy-related events in the system.

This widget is useful to monitor the overall volume of policy changes, track policy management activity levels and identify periods of increased policy modifications.

Sample output from the incoming example data:

_count
25

The result shows 25 policy-related events were found in the specified time period.