Group Policy Events by Operation Type

Visualize distribution of policy operations in a pie chart

This is a query example for the Policy events types widget in the Summary Dashboard dashboard of the crowdstrike/siem-connector package.

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[/Filter/] 4{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> result
logscale
metadata.eventType = UserActivityAuditEvent
| metadata.customerIDString = *
| event.OperationName = in(values=["create_policy","update_policy","assign_policy","enable_policy","remove_policy","disable_policy","delete_policy","update_precedence"])
| groupby(event.OperationName)

Introduction

This widget is used to track and visualize the distribution of different types of policy operations in the system, displayed as a pie chart.

In this widget, the groupBy() function is used to aggregate policy-related events by operation type, and the in() function is used to filter for specific policy operations.

Example incoming data might look like this:

#typeevent.AuditKeyValues[0].Valueevent.ComputerNameevent.OperationNameevent.UserIdmetadata.eventType
siem-connectorChanged password expiration policy from 60 to 45 daysPROD-SQL01create_policybakermUserActivityAuditEvent

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[/Filter/] 4{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    metadata.eventType = UserActivityAuditEvent

    Filters events to include only those where metadata.eventType equals UserActivityAuditEvent.

  3. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[/Filter/] 4{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> result style 2 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | metadata.customerIDString = *

    Ensures metadata.customerIDString exists by matching any value.

  4. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[/Filter/] 4{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> result style 3 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | event.OperationName = in(values=["create_policy","update_policy","assign_policy","enable_policy","remove_policy","disable_policy","delete_policy","update_precedence"])

    Uses the in() function to match if the value in event.OperationName exactly matches any of the specified policy operations.

  5. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[/Filter/] 4{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> result style 4 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | groupby(event.OperationName)

    Groups the events by the event.OperationName field, automatically creating a count for each unique operation type in the _count field. The results are visualized in a pie chart showing the distribution of different policy operations.

  6. Event Result set.

Summary and Results

The widget is used to provide a visual breakdown of policy-related operations, showing their relative frequencies in a pie chart format.

This widget is useful to identify the most common types of policy operations, monitor the balance between different policy management activities, and detect unusual patterns in policy operation types.

Sample output from the incoming example data:

_countevent.OperationName
3remove_policy
3update_policy
3update_precedence
3disable_policy
3enable_policy

Note that the results show five different types of policy operations, each with three events. Three operation types from the filter (create_policy, assign_policy, and delete_policy) did not appear in the results. The pie chart visualization makes it easy to see the relative proportions of different policy operations at a glance.