Count Activity by Operations

Group and count user activities by operation name

This is a query example for the Activity by Operations widget in the User Activity dashboard of the crowdstrike/siem-connector package.

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result
logscale
*
| metadata.eventType=UserActivityAuditEvent
| groupBy("event.OperationName")

Introduction

This widget is used to visualize the distribution of different operation types in user activity events, displaying the results as a pie chart for easy comparison of operation frequencies.

In this widget, the groupBy() function is used to aggregate and count user activities based on their operation names.

Example incoming data might look like this:

[{"metadata.eventType":"UserActivityAuditEvent","event.OperationName":"delete_report_execution","event.UserId":"adamsb","event.UserIp":"192.168.2.143","@timestamp":1768898479081}]

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    *

    Matches all events in the data stream.

  3. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result style 2 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | metadata.eventType=UserActivityAuditEvent

    Filters for events where metadata.eventType equals UserActivityAuditEvent.

  4. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result style 3 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | groupBy("event.OperationName")

    Groups the filtered events by event.OperationName and automatically creates a count field named _count for each unique operation name.

  5. Event Result set.

Summary and Results

The widget is used to analyze the frequency distribution of different operation types in user activity events.

This widget is useful to monitor the most common operations being performed and identify unusual patterns in operational activities.

Sample output from the incoming example data:

csv
[{"_count":"3","event.OperationName":"update_precedence"},
{"_count":"2","event.OperationName":"update_report"},
{"_count":"1","event.OperationName":"validateEntitlementsHmac"},
{"_count":"1","event.OperationName":"updateDetection"},
{"_count":"3","event.OperationName":"update_policy"}]

The results are visualized as a pie chart, making it easy to see the relative proportions of different operations in the total activity.