Count Policy Events by Users

Visualize policy-related events per user in a pie chart

This is a query example for the Policty events by Users widget in the Summary Dashboard dashboard of the crowdstrike/siem-connector package.

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[/Filter/] 4[\Add Field/] 5{{Aggregate}} 6["Expression"] result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> 5 5 --> 6 6 --> result
logscale
metadata.eventType = UserActivityAuditEvent
| metadata.customerIDString = *
| event.OperationName =~ in(values=["create_policy","update_policy","assign_policy","enable_policy","remove_policy","disable_policy","delete_policy","update_precedence"])
| User:=event.UserId
| groupby(User)
| events:=rename(_count)

Introduction

This widget is used to display the distribution of policy-related events across different users in the system, visualized as a pie chart.

In this widget, the groupBy() function is used to aggregate events by user, and the rename() function is used to rename the count field for better readability.

Example incoming data might look like this:

@timestamp#error#humioBackfill#repo#type@error@error_msg@error_msg[0]@id@ingesttimestamp@timestamp.nanos@timezoneevent.AgentIdStringevent.Attributes.execution_idevent.Attributes.report_metadata.subtypeevent.Attributes.scheduled_report_idevent.AuditKeyValues[0].Keyevent.AuditKeyValues[0].ValueStringevent.AuditKeyValues[1].ValueStringevent.AuditKeyValues[2].Keyevent.AuditKeyValues[2].ValueStringevent.CustomerIdStringevent.EventTypeevent.EventUUIDevent.ExternalAPITypeevent.Nonceevent.OperationNameevent.ServiceNameevent.UTCTimestampevent.UserIdevent.UserIpevent.cidevent.eidevent.timestampmetadata.customerIDStringmetadata.eventCreationTimemetadata.eventTypemetadata.offsetmetadata.version
2026-01-20T08:44:43true0auto-dashboard-queriessiem-connectortruetimestamp was not set to a value after 1971. Setting it to nowtimestamp was not set to a value after 1971. Setting it to nowsd6u8WImB06fMtTL7gzFlqYX_2_13_17688986832026-01-20T08:44:430Z12345678123456781234567812345678234567892345678923456789host_inventory234567892345678923456789scheduled_report_id123456781234567812345678123456781234567812345678report_metadata.subtypedetection_summaryb2c3d4e5f6g7h8i9j0k1Event_ExternalApiEvent12345678-1234-5678-1234-123456781234Event_UserActivityAuditEvent1delete_report_executionscheduled_reports1710343724adamsb192.168.2.143c3d4e5f6g7h8i9j0k1l21182025-03-13:15:48:44 +0000a1b2c3d4e5f6g7h8i9j01710340124UserActivityAuditEvent341.1111.0

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[/Filter/] 4[\Add Field/] 5{{Aggregate}} 6["Expression"] result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> 5 5 --> 6 6 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    metadata.eventType = UserActivityAuditEvent

    Filters events to include only those where metadata.eventType equals UserActivityAuditEvent.

  3. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[/Filter/] 4[\Add Field/] 5{{Aggregate}} 6["Expression"] result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> 5 5 --> 6 6 --> result style 2 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | metadata.customerIDString = *

    Ensures metadata.customerIDString exists by matching any value.

  4. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[/Filter/] 4[\Add Field/] 5{{Aggregate}} 6["Expression"] result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> 5 5 --> 6 6 --> result style 3 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | event.OperationName =~ in(values=["create_policy","update_policy","assign_policy","enable_policy","remove_policy","disable_policy","delete_policy","update_precedence"])

    Filters for specific policy-related operations in the event.OperationName field.

  5. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[/Filter/] 4[\Add Field/] 5{{Aggregate}} 6["Expression"] result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> 5 5 --> 6 6 --> result style 4 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | User:=event.UserId

    Creates a new field named User containing the value from event.UserId.

  6. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[/Filter/] 4[\Add Field/] 5{{Aggregate}} 6["Expression"] result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> 5 5 --> 6 6 --> result style 5 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | groupby(User)

    Groups the results by the User field, automatically creating a count for each user.

  7. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[/Filter/] 4[\Add Field/] 5{{Aggregate}} 6["Expression"] result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> 5 5 --> 6 6 --> result style 6 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | events:=rename(_count)

    Renames the default _count field to events for better readability in the visualization.

  8. Event Result set.

Summary and Results

The widget is used to track and visualize the distribution of policy-related activities across different users in the system.

This widget is useful to identify users who are most active in policy management and to monitor policy-related activities for security and compliance purposes.

Sample output from the incoming example data:

csv
[{"User":"whitep","events":"1"},
{"User":"wrightj","events":"1"},
{"User":"youngd","events":"1"},
{"User":"thomasb","events":"1"},
{"User":"watsonm","events":"1"}]

The results are displayed in a pie chart, where each slice represents a user and its size corresponds to their number of policy-related events.