Count User Activity Events

Count user activity events with customer IDs

This is a query example for the User Activity Events widget in the Summary Dashboard dashboard of the crowdstrike/siem-connector package.

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[/Filter/] 4{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> result
logscale
*
| metadata.eventType=UserActivityAuditEvent
| metadata.customerIDString = *
| count()

Introduction

This widget is used to count the total number of user activity audit events that have an associated customer ID string.

In this widget, the count() function is used to count user activity events that contain both a UserActivityAuditEvent type and a customer ID string.

Example incoming data might look like this:

@timestamp#error#humioBackfill#repo#type@error@error_msg@error_msg[0]@id@ingesttimestamp@rawstring@timestamp.nanos@timezoneaffected_hosts[0].detection_countaffected_hosts[0].first_seenaffected_hosts[0].hostnameaffected_hosts[0].ip_addressaffected_hosts[0].last_seenaffected_hosts[0].sensor_idaffected_hosts[1].detection_countaffected_hosts[1].first_seenaffected_hosts[1].hostnameaffected_hosts[1].ip_addressaffected_hosts[1].last_seenaffected_hosts[1].sensor_idaffected_hosts[2].detection_countaffected_hosts[2].first_seenaffected_hosts[2].hostnameaffected_hosts[2].ip_addressaffected_hosts[2].last_seenaffected_hosts[2].sensor_idcontext.falcon_intel_reports[0]context.falcon_intel_reports[1]context.mitre_attack_urlcontext.risk_scoreevent.AgentIdStringevent.Attributes.execution_idevent.Attributes.report_metadata.subtypeevent.Attributes.scheduled_report_idevent.AuditKeyValues[0].Keyevent.AuditKeyValues[0].Valueevent.AuditKeyValues[0].ValueStringevent.AuditKeyValues[1].Keyevent.AuditKeyValues[1].Valueevent.AuditKeyValues[1].ValueStringevent.AuditKeyValues[2].Keyevent.AuditKeyValues[2].Valueevent.AuditKeyValues[2].ValueStringevent.ComputerNameevent.CustomerIdStringevent.EventTypeevent.EventUUIDevent.ExternalAPITypeevent.Nonceevent.OperationNameevent.ServiceNameevent.UTCTimestampevent.UserIdevent.UserIpevent.cidevent.eidevent.timestampmetadata.aidmetadata.aipmetadata.cidmetadata.customerIDStringmetadata.eventCreationTimemetadata.eventPlatformmetadata.eventTypemetadata.event_idmetadata.idmetadata.namemetadata.offsetmetadata.severitymetadata.versionpotential_actors[0].actor_namepotential_actors[0].confidencepotential_actors[0].evidencerecommendations[0]recommendations[1]recommendations[2]recommendations[3]related_detections[0]related_detections[1]related_detections[2]summary.affected_hosts_countsummary.confidencesummary.detection_countsummary.first_detection_timesummary.last_detection_timesummary.severitysummary.titletechniques[0].descriptiontechniques[0].objectivetechniques[0].tactictechniques[0].technique_idtechniques[0].technique_nametechniques[1].descriptiontechniques[1].objectivetechniques[1].tactictechniques[1].technique_idtechniques[1].technique_nametechniques[2].descriptiontechniques[2].objectivetechniques[2].tactictechniques[2].technique_idtechniques[2].technique_name
2026-01-20T08:41:19true0auto-dashboard-queriessiem-connectortruetimestamp was not set to a value after 1971. Setting it to nowtimestamp was not set to a value after 1971. Setting it to nowsd6u8WImB06fMtTL7gzFlqYX_2_0_17688984792026-01-20T08:41:19{"metadata":{"eventType":"UserActivityAuditEvent","eventCreationTime":1710340124,"offset":341.111,"customerIDString":"a1b2c3d4e5f6g7h8i9j0","version":"1.0"},"event":{"UserId":"adamsb","UserIp":"192.168.2.143","OperationName":"delete_report_execution","ServiceName":"scheduled_reports","AuditKeyValues":[{"Key":"scheduled_report_id","ValueString":"123456781234567812345678"},{"Key":"execution_id","ValueString":"123456781234567812345678"},{"Key":"report_metadata.subtype","ValueString":"detection_summary"}],"UTCTimestamp":1710343724,"Attributes":{"execution_id":"234567892345678923456789","report_metadata.subtype":"host_inventory","scheduled_report_id":"234567892345678923456789"},"CustomerIdString":"b2c3d4e5f6g7h8i9j0k1","Nonce":1,"AgentIdString":"12345678123456781234567812345678","EventUUID":"12345678-1234-5678-1234-123456781234","cid":"c3d4e5f6g7h8i9j0k1l2","eid":118,"timestamp":"2025-03-13:15:48:44 +0000","EventType":"Event_ExternalApiEvent","ExternalAPIType":"Event_UserActivityAuditEvent"}} b854220d8a04d107a8ecabde8824b73b0Z                      12345678123456781234567812345678234567892345678923456789host_inventory234567892345678923456789scheduled_report_id 123456781234567812345678execution_id 123456781234567812345678report_metadata.subtype detection_summary b2c3d4e5f6g7h8i9j0k1Event_ExternalApiEvent12345678-1234-5678-1234-123456781234Event_UserActivityAuditEvent1delete_report_executionscheduled_reports1710343724adamsb192.168.2.143c3d4e5f6g7h8i9j0k1l21182025-03-13:15:48:44 +0000   a1b2c3d4e5f6g7h8i9j01710340124 UserActivityAuditEvent   341.111 1.0                                
2026-01-20T08:41:19  auto-dashboard-queriessiem-connector   QTsJCoPniAANCCdKBxWdooCq_14_194_17688984792026-01-20T08:41:19{ "metadata" : { "eventType": "ReconNotificationSummary", "eventCreationTime": "1768898479177", "event_id": "rns-f47ac10b-58cc-4372-a567-0e02b2c3d479", "customerIDString": "d4e5f6g7h8i9j0k1l2m3" }, "summary": { "title": "Reconnaissance Activity Detected", "severity": "4", "confidence": "3", "detection_count": 3, "first_detection_time": "2026-01-08T14:27:31.456Z", "last_detection_time": "2026-01-08T15:30:12.789Z", "affected_hosts_count": 3 }, "techniques": [ { "technique_id": "T1059.001", "technique_name": "PowerShell", "tactic": "Discovery", "objective": "Internal Reconnaissance", "description": "Detected suspicious PowerShell command execution with encoded arguments" }, { "technique_id": "T1003.001", "technique_name": "LSASS Memory", "tactic": "Discovery", "objective": "Internal Reconnaissance", "description": "Detected potential credential dumping from LSASS memory" }, { "technique_id": "T1021.002", "technique_name": "SMB/Windows Admin Shares", "tactic": "Discovery", "objective": "Internal Reconnaissance", "description": "Detected suspicious access to administrative shares" } ], "affected_hosts": [ { "hostname": "PROD-WEB01", "ip_address": "192.168.0.87", "sensor_id": "e5f6g7h8i9j0k1l2m3n4", "first_seen": "2026-01-17T10:48:06.000Z", "last_seen": "2026-01-23T21:46:21.000Z", "detection_count": 7 }, { "hostname": "PROD-APP02", "ip_address": "192.168.3.211", "sensor_id": "f6g7h8i9j0k1l2m3n4o5", "first_seen": "2026-01-14T20:13:08.000Z", "last_seen": "2026-01-15T01:54:34.000Z", "detection_count": 1 }, { "hostname": "PROD-DB01", "ip_address": "192.168.1.54", "sensor_id": "g7h8i9j0k1l2m3n4o5p6", "first_seen": "2026-01-17T19:52:15.000Z", "last_seen": "2026-01-24T18:55:34.000Z", "detection_count": 4 } ], "potential_actors": [ { "actor_name": "APT29", "confidence": "2", "evidence": "Command and control infrastructure matches known APT29 domains" } ], "recommendations": [ "Isolate affected hosts from the network", "Review authentication logs for suspicious access attempts", "Enable multi-factor authentication for all privileged accounts", "Update antivirus signatures and perform a full system scan" ], "related_detections": [ "det-6ba7b810-9dad-11d1-80b4-00c04fd430c8", "det-3d6f4e2a-8b9c-4f1e-a2d5-7c8e9f0a1b2c", "det-9e8d7c6b-5a4f-4e3d-2c1b-0a9f8e7d6c5b" ], "context": { "risk_score": 87, "mitre_attack_url": "https://attack.mitre.org/techniques/T1078.002/", "falcon_intel_reports": [ "INTEL-T_SHORT_MD5_T", "INTEL-T_SHORT_MD5_T" ] } } b854220d8a04d107a8ecabde8824b73b0Z72026-01-17T10:48:06.000ZPROD-WEB01192.168.0.872026-01-23T21:46:21.000Ze5f6g7h8i9j0k1l2m3n412026-01-14T20:13:08.000ZPROD-APP02192.168.3.2112026-01-15T01:54:34.000Zf6g7h8i9j0k1l2m3n4o542026-01-17T19:52:15.000ZPROD-DB01192.168.1.542026-01-24T18:55:34.000Zg7h8i9j0k1l2m3n4o5p6INTEL-T_SHORT_MD5_TINTEL-T_SHORT_MD5_Thttps://attack.mitre.org/techniques/T1078.002/87                              d4e5f6g7h8i9j0k1l2m31768898479177 ReconNotificationSummaryrns-f47ac10b-58cc-4372-a567-0e02b2c3d479     APT292Command and control infrastructure matches known APT29 domainsIsolate affected hosts from the networkReview authentication logs for suspicious access attemptsEnable multi-factor authentication for all privileged accountsUpdate antivirus signatures and perform a full system scandet-6ba7b810-9dad-11d1-80b4-00c04fd430c8det-3d6f4e2a-8b9c-4f1e-a2d5-7c8e9f0a1b2cdet-9e8d7c6b-5a4f-4e3d-2c1b-0a9f8e7d6c5b3332026-01-08T14:27:31.456Z2026-01-08T15:30:12.789Z4Reconnaissance Activity DetectedDetected suspicious PowerShell command execution with encoded argumentsInternal ReconnaissanceDiscoveryT1059.001PowerShellDetected potential credential dumping from LSASS memoryInternal ReconnaissanceDiscoveryT1003.001LSASS MemoryDetected suspicious access to administrative sharesInternal ReconnaissanceDiscoveryT1021.002SMB/Windows Admin Shares
2026-01-20T08:41:19  auto-dashboard-queriessiem-connector   QTsJCoPniAANCCdKBxWdooCq_14_195_17688984792026-01-20T08:41:20{ "metadata":{ "eventCreationTime":"1768898479726", "eventPlatform": "Identity", "eventType": "IdentityProtectionEvent", "name": "IdentityProtectionEvent", "severity": "9", "aid": "h8i9j0k1l2m3n4o5p6q7", "aip": "192.168.4.198", "cid": "i9j0k1l2m3n4o5p6q7r8", "id": "AUD-T_SHORT_MD5_T" } } b854220d8a04d107a8ecabde8824b73b0Z                                                 h8i9j0k1l2m3n4o5p6q7192.168.4.198i9j0k1l2m3n4o5p6q7r8 1768898479726IdentityIdentityProtectionEvent AUD-T_SHORT_MD5_TIdentityProtectionEvent 9                                 
2026-01-20T08:41:20  auto-dashboard-queriessiem-connector   QTsJCoPniAANCCdKBxWdooCq_14_196_17688984802026-01-20T08:41:21{"metadata":{ "eventType":"UserActivityAuditEvent","eventCreationTime":"1768898480499","customerIDString":"j0k1l2m3n4o5p6q7r8s9" }, "event":{"UserId":"andersonk","ComputerName":"PROD-FILE01","ServiceName":"CrowdStrike Authentication", "AuditKeyValues":[{"Key":"AUD-7f92e3b1","Value":"Modified rule FW-3782 in policy 'Corporate Perimeter Defense'"},{"Key":"AUD-c45d8a6e","Value":"Added exception for host 192.168.45.12 to policy 'Data Center Access'"},{"Key":"AUD-21b9f037","Value":"Deleted user account 'mwilliams' from Active Directory group 'Finance-Users'"}]}} b854220d8a04d107a8ecabde8824b73b0Z                          AUD-7f92e3b1Modified rule FW-3782 in policy 'Corporate Perimeter Defense' AUD-c45d8a6eAdded exception for host 192.168.45.12 to policy 'Data Center Access' AUD-21b9f037Deleted user account 'mwilliams' from Active Directory group 'Finance-Users' PROD-FILE01      CrowdStrike Authentication andersonk       j0k1l2m3n4o5p6q7r8s91768898480499 UserActivityAuditEvent                                      
2026-01-20T08:41:21  auto-dashboard-queriessiem-connector   QTsJCoPniAANCCdKBxWdooCq_14_197_17688984812026-01-20T08:41:21{"metadata":{ "eventType":"UserActivityAuditEvent","eventCreationTime":"1768898481267","customerIDString":"k1l2m3n4o5p6q7r8s9t0" }, "event":{"UserId":"bakerm","ComputerName":"PROD-SQL01","OperationName":"create_policy", "AuditKeyValues":[{"Key":"AUD-9e3d5c8a","Value":"Changed password expiration policy from 60 to 45 days"},{"Key":"AUD-56f1a7d2","Value":"Exported configuration backup of firewall cluster 'edge-fw-01'"}]}} b854220d8a04d107a8ecabde8824b73b0Z                          AUD-9e3d5c8aChanged password expiration policy from 60 to 45 days AUD-56f1a7d2Exported configuration backup of firewall cluster 'edge-fw-01'    PROD-SQL01     create_policy  bakerm       k1l2m3n4o5p6q7r8s9t01768898481267 UserActivityAuditEvent                                      

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[/Filter/] 4{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    *

    Matches all events in the data stream.

  3. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[/Filter/] 4{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> result style 2 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | metadata.eventType=UserActivityAuditEvent

    Filters for events where metadata.eventType equals UserActivityAuditEvent.

  4. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[/Filter/] 4{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> result style 3 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | metadata.customerIDString = *

    Further filters to include only events that have a metadata.customerIDString field.

  5. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[/Filter/] 4{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> result style 4 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | count()

    Counts the total number of matching events and returns the result in a field named _count. The count() function by default creates this field to store the count value.

  6. Event Result set.

Summary and Results

The widget is used to monitor the volume of user activity events that have associated customer identification.

This widget is useful to track the overall level of user activity and ensure proper customer ID attribution in the events.

Sample output from the incoming example data:

json
[{"_count":"51"}]

Note that the output shows a total of 51 UserActivityAuditEvent events that contained a customer ID string during the query period.