Group User Activity by Service Name

Visualize user activity distribution across different services in a bar chart

This is a query example for the User Activity by ServiceName widget in the Summary Dashboard dashboard of the crowdstrike/siem-connector package.

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1@{ shape: doc, label: "Source or File" } 2[/Filter/] 3[/Filter/] 4{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> result
logscale
*
| metadata.eventType=UserActivityAuditEvent
| metadata.customerIDString = *
| groupby(event.ServiceName)

Introduction

This widget is used to track and visualize the distribution of user activities across different services in the system, displayed as a bar chart.

In this widget, the groupBy() function is used to aggregate user activity events by service name, creating a visual representation of activity distribution.

Example incoming data might look like this:

#type@timezoneevent.AuditKeyValues[1].Valueevent.ComputerNameevent.ServiceNameevent.UserIdmetadata.eventCreationTimemetadata.eventType
siem-connectorZExported configuration backup of firewall cluster 'edge-fw-01'PROD-SQL01CrowdStrike Authenticationbakerm1768898481267UserActivityAuditEvent

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1@{ shape: doc, label: "Source or File" } 2[/Filter/] 3[/Filter/] 4{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    *

    Selects all events from the data stream for processing.

  3. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1@{ shape: doc, label: "Source or File" } 2[/Filter/] 3[/Filter/] 4{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> result style 2 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | metadata.eventType=UserActivityAuditEvent

    Filters events to include only those where metadata.eventType equals UserActivityAuditEvent.

  4. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1@{ shape: doc, label: "Source or File" } 2[/Filter/] 3[/Filter/] 4{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> result style 3 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | metadata.customerIDString = *

    Ensures metadata.customerIDString exists by matching any value.

  5. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1@{ shape: doc, label: "Source or File" } 2[/Filter/] 3[/Filter/] 4{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> result style 4 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | groupby(event.ServiceName)

    Groups the events by the event.ServiceName field, automatically creating a count for each unique service in the _count field. The results are visualized in a bar chart showing the distribution of activities across different services.

  6. Event Result set.

Summary and Results

The widget is used to provide a visual representation of user activity distribution across different services in the system.

This widget is useful to identify which services have the most user activity, monitor service usage patterns and detect unusual activity spikes in specific services.

Sample output from the incoming example data:

_countevent.ServiceName
1windows-defender
1syslog-service
1threat-intelligence
1vpn-service
1web-proxy

Note that the results show an even distribution of one event per service across five different services. The bar chart visualization makes it easy to compare activity levels across different services at a glance.