Display User Activity Events Details

Show user activity events in a detailed table view

This is a query example for the User Activity Events widget in the Summary Dashboard dashboard of the crowdstrike/siem-connector package.

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[/Filter/] 4[\Add Field/] 5["Expression"] 6@{ shape: win-pane, label: "Table" } result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> 5 5 --> 6 6 --> result
logscale
metadata.eventType = UserActivityAuditEvent
| event.OperationName = *
| metadata.customerIDString = *
| akey0:=event.AuditKeyValues[0].Key
                | aval0:=event.AuditKeyValues[0].ValueString
                | akey1:=event.AuditKeyValues[1].Key
                | aval1:=event.AuditKeyValues[1].ValueString
                | akey2:=event.AuditKeyValues[2].Key
                | aval2:=event.AuditKeyValues[2].ValueString
                | akey3:=event.AuditKeyValues[3].Key
                | aval3:=event.AuditKeyValues[3].ValueString
                | akey4:=event.AuditKeyValues[4].Key
                | aval4:=event.AuditKeyValues[4].ValueString
                | akey5:=event.AuditKeyValues[5].Key
                | aval5:=event.AuditKeyValues[5].ValueString
                | akey6:=event.AuditKeyValues[6].Key
                | aval6:=event.AuditKeyValues[6].ValueString
                | akey7:=event.AuditKeyValues[7].Key
                | aval7:=event.AuditKeyValues[7].ValueString
                | akey8:=event.AuditKeyValues[8].Key
                | aval8:=event.AuditKeyValues[8].ValueString
                | akey9:=event.AuditKeyValues[9].Key
                | aval9:=event.AuditKeyValues[9].ValueString
                | akey10:=event.AuditKeyValues[10].Key
                | aval10:=event.AuditKeyValues[10].ValueString
                | akey11:=event.AuditKeyValues[11].Key
                | aval11:=event.AuditKeyValues[11].ValueString
                | akey12:=event.AuditKeyValues[12].Key
                | aval12:=event.AuditKeyValues[12].ValueString
                | akey13:=event.AuditKeyValues[13].Key
                | aval13:=event.AuditKeyValues[13].ValueString
                | akey14:=event.AuditKeyValues[14].Key
                | aval14:=event.AuditKeyValues[14].ValueString
                | akey15:=event.AuditKeyValues[15].Key
                | aval15:=event.AuditKeyValues[15].ValueString
                | akey16:=event.AuditKeyValues[16].Key
                | aval16:=event.AuditKeyValues[16].ValueString
                | akey17:=event.AuditKeyValues[17].Key
                | aval17:=event.AuditKeyValues[17].ValueString
                | akey18:=event.AuditKeyValues[18].Key
                | aval18:=event.AuditKeyValues[18].ValueString
                | akey19:=event.AuditKeyValues[19].Key
                | aval19:=event.AuditKeyValues[19].ValueString
                | akey20:=event.AuditKeyValues[20].Key
                | aval20:=event.AuditKeyValues[20].ValueString
| rename(metadata.customerIDString, as="Customer ID")
                | User := rename(event.UserId)
                | UserIP := rename(event.UserIp)
                | Service:=event.ServiceName
                | Operation:=event.OperationName
| table([@timestamp,"Customer ID",User,UserIP,Service,Operation,akey0,aval0,akey1,aval1,akey2,aval2,akey3,aval3,akey4,aval4,akey5,aval5,akey6,aval6,akey7,aval7,akey8,aval8,akey9,aval9,akey10,aval10])

Introduction

This widget is used to display detailed information about user activity events including customer ID, user information, service details, and audit values in a tabular format.

In this widget, the rename() and table() functions are used to format and display user activity event details in a structured table view.

Example incoming data might look like this:

@timestamp#error#humioBackfill#repo#type@error@error_msg@error_msg[0]@id@ingesttimestamp@rawstring@timestamp.nanos@timezoneaffected_hosts[0].detection_countaffected_hosts[0].first_seenaffected_hosts[0].hostnameaffected_hosts[0].ip_addressaffected_hosts[0].last_seenaffected_hosts[0].sensor_idaffected_hosts[1].detection_countaffected_hosts[1].first_seenaffected_hosts[1].hostnameaffected_hosts[1].ip_addressaffected_hosts[1].last_seenaffected_hosts[1].sensor_idaffected_hosts[2].detection_countaffected_hosts[2].first_seenaffected_hosts[2].hostnameaffected_hosts[2].ip_addressaffected_hosts[2].last_seenaffected_hosts[2].sensor_idcontext.falcon_intel_reports[0]context.falcon_intel_reports[1]context.mitre_attack_urlcontext.risk_scoreevent.AgentIdStringevent.Attributes.execution_idevent.Attributes.report_metadata.subtypeevent.Attributes.scheduled_report_idevent.AuditKeyValues[0].Keyevent.AuditKeyValues[0].Valueevent.AuditKeyValues[0].ValueStringevent.AuditKeyValues[1].Keyevent.AuditKeyValues[1].Valueevent.AuditKeyValues[1].ValueStringevent.AuditKeyValues[2].Keyevent.AuditKeyValues[2].Valueevent.AuditKeyValues[2].ValueStringevent.ComputerNameevent.CustomerIdStringevent.EventTypeevent.EventUUIDevent.ExternalAPITypeevent.Nonceevent.OperationNameevent.ServiceNameevent.UTCTimestampevent.UserIdevent.UserIpevent.cidevent.eidevent.timestampmetadata.aidmetadata.aipmetadata.cidmetadata.customerIDStringmetadata.eventCreationTimemetadata.eventPlatformmetadata.eventTypemetadata.event_idmetadata.idmetadata.namemetadata.offsetmetadata.severitymetadata.versionpotential_actors[0].actor_namepotential_actors[0].confidencepotential_actors[0].evidencerecommendations[0]recommendations[1]recommendations[2]recommendations[3]related_detections[0]related_detections[1]related_detections[2]summary.affected_hosts_countsummary.confidencesummary.detection_countsummary.first_detection_timesummary.last_detection_timesummary.severitysummary.titletechniques[0].descriptiontechniques[0].objectivetechniques[0].tactictechniques[0].technique_idtechniques[0].technique_nametechniques[1].descriptiontechniques[1].objectivetechniques[1].tactictechniques[1].technique_idtechniques[1].technique_nametechniques[2].descriptiontechniques[2].objectivetechniques[2].tactictechniques[2].technique_idtechniques[2].technique_name
2026-01-20T08:41:19true0auto-dashboard-queriessiem-connectortruetimestamp was not set to a value after 1971. Setting it to nowtimestamp was not set to a value after 1971. Setting it to nowsd6u8WImB06fMtTL7gzFlqYX_2_0_17688984792026-01-20T08:41:19{"metadata":{"eventType":"UserActivityAuditEvent","eventCreationTime":1710340124,"offset":341.111,"customerIDString":"a1b2c3d4e5f6g7h8i9j0","version":"1.0"},"event":{"UserId":"adamsb","UserIp":"192.168.2.143","OperationName":"delete_report_execution","ServiceName":"scheduled_reports","AuditKeyValues":[{"Key":"scheduled_report_id","ValueString":"123456781234567812345678"},{"Key":"execution_id","ValueString":"123456781234567812345678"},{"Key":"report_metadata.subtype","ValueString":"detection_summary"}],"UTCTimestamp":1710343724,"Attributes":{"execution_id":"234567892345678923456789","report_metadata.subtype":"host_inventory","scheduled_report_id":"234567892345678923456789"},"CustomerIdString":"b2c3d4e5f6g7h8i9j0k1","Nonce":1,"AgentIdString":"12345678123456781234567812345678","EventUUID":"12345678-1234-5678-1234-123456781234","cid":"c3d4e5f6g7h8i9j0k1l2","eid":118,"timestamp":"2025-03-13:15:48:44 +0000","EventType":"Event_ExternalApiEvent","ExternalAPIType":"Event_UserActivityAuditEvent"}} b854220d8a04d107a8ecabde8824b73b0Z                      12345678123456781234567812345678234567892345678923456789host_inventory234567892345678923456789scheduled_report_id 123456781234567812345678execution_id 123456781234567812345678report_metadata.subtype detection_summary b2c3d4e5f6g7h8i9j0k1Event_ExternalApiEvent12345678-1234-5678-1234-123456781234Event_UserActivityAuditEvent1delete_report_executionscheduled_reports1710343724adamsb192.168.2.143c3d4e5f6g7h8i9j0k1l21182025-03-13:15:48:44 +0000   a1b2c3d4e5f6g7h8i9j01710340124 UserActivityAuditEvent   341.111 1.0                                
2026-01-20T08:41:19  auto-dashboard-queriessiem-connector   QTsJCoPniAANCCdKBxWdooCq_14_194_17688984792026-01-20T08:41:19{ "metadata" : { "eventType": "ReconNotificationSummary", "eventCreationTime": "1768898479177", "event_id": "rns-f47ac10b-58cc-4372-a567-0e02b2c3d479", "customerIDString": "d4e5f6g7h8i9j0k1l2m3" }, "summary": { "title": "Reconnaissance Activity Detected", "severity": "4", "confidence": "3", "detection_count": 3, "first_detection_time": "2026-01-08T14:27:31.456Z", "last_detection_time": "2026-01-08T15:30:12.789Z", "affected_hosts_count": 3 }, "techniques": [ { "technique_id": "T1059.001", "technique_name": "PowerShell", "tactic": "Discovery", "objective": "Internal Reconnaissance", "description": "Detected suspicious PowerShell command execution with encoded arguments" }, { "technique_id": "T1003.001", "technique_name": "LSASS Memory", "tactic": "Discovery", "objective": "Internal Reconnaissance", "description": "Detected potential credential dumping from LSASS memory" }, { "technique_id": "T1021.002", "technique_name": "SMB/Windows Admin Shares", "tactic": "Discovery", "objective": "Internal Reconnaissance", "description": "Detected suspicious access to administrative shares" } ], "affected_hosts": [ { "hostname": "PROD-WEB01", "ip_address": "192.168.0.87", "sensor_id": "e5f6g7h8i9j0k1l2m3n4", "first_seen": "2026-01-17T10:48:06.000Z", "last_seen": "2026-01-23T21:46:21.000Z", "detection_count": 7 }, { "hostname": "PROD-APP02", "ip_address": "192.168.3.211", "sensor_id": "f6g7h8i9j0k1l2m3n4o5", "first_seen": "2026-01-14T20:13:08.000Z", "last_seen": "2026-01-15T01:54:34.000Z", "detection_count": 1 }, { "hostname": "PROD-DB01", "ip_address": "192.168.1.54", "sensor_id": "g7h8i9j0k1l2m3n4o5p6", "first_seen": "2026-01-17T19:52:15.000Z", "last_seen": "2026-01-24T18:55:34.000Z", "detection_count": 4 } ], "potential_actors": [ { "actor_name": "APT29", "confidence": "2", "evidence": "Command and control infrastructure matches known APT29 domains" } ], "recommendations": [ "Isolate affected hosts from the network", "Review authentication logs for suspicious access attempts", "Enable multi-factor authentication for all privileged accounts", "Update antivirus signatures and perform a full system scan" ], "related_detections": [ "det-6ba7b810-9dad-11d1-80b4-00c04fd430c8", "det-3d6f4e2a-8b9c-4f1e-a2d5-7c8e9f0a1b2c", "det-9e8d7c6b-5a4f-4e3d-2c1b-0a9f8e7d6c5b" ], "context": { "risk_score": 87, "mitre_attack_url": "https://attack.mitre.org/techniques/T1078.002/", "falcon_intel_reports": [ "INTEL-T_SHORT_MD5_T", "INTEL-T_SHORT_MD5_T" ] } } b854220d8a04d107a8ecabde8824b73b0Z72026-01-17T10:48:06.000ZPROD-WEB01192.168.0.872026-01-23T21:46:21.000Ze5f6g7h8i9j0k1l2m3n412026-01-14T20:13:08.000ZPROD-APP02192.168.3.2112026-01-15T01:54:34.000Zf6g7h8i9j0k1l2m3n4o542026-01-17T19:52:15.000ZPROD-DB01192.168.1.542026-01-24T18:55:34.000Zg7h8i9j0k1l2m3n4o5p6INTEL-T_SHORT_MD5_TINTEL-T_SHORT_MD5_Thttps://attack.mitre.org/techniques/T1078.002/87                              d4e5f6g7h8i9j0k1l2m31768898479177 ReconNotificationSummaryrns-f47ac10b-58cc-4372-a567-0e02b2c3d479     APT292Command and control infrastructure matches known APT29 domainsIsolate affected hosts from the networkReview authentication logs for suspicious access attemptsEnable multi-factor authentication for all privileged accountsUpdate antivirus signatures and perform a full system scandet-6ba7b810-9dad-11d1-80b4-00c04fd430c8det-3d6f4e2a-8b9c-4f1e-a2d5-7c8e9f0a1b2cdet-9e8d7c6b-5a4f-4e3d-2c1b-0a9f8e7d6c5b3332026-01-08T14:27:31.456Z2026-01-08T15:30:12.789Z4Reconnaissance Activity DetectedDetected suspicious PowerShell command execution with encoded argumentsInternal ReconnaissanceDiscoveryT1059.001PowerShellDetected potential credential dumping from LSASS memoryInternal ReconnaissanceDiscoveryT1003.001LSASS MemoryDetected suspicious access to administrative sharesInternal ReconnaissanceDiscoveryT1021.002SMB/Windows Admin Shares
2026-01-20T08:41:19  auto-dashboard-queriessiem-connector   QTsJCoPniAANCCdKBxWdooCq_14_195_17688984792026-01-20T08:41:20{ "metadata":{ "eventCreationTime":"1768898479726", "eventPlatform": "Identity", "eventType": "IdentityProtectionEvent", "name": "IdentityProtectionEvent", "severity": "9", "aid": "h8i9j0k1l2m3n4o5p6q7", "aip": "192.168.4.198", "cid": "i9j0k1l2m3n4o5p6q7r8", "id": "AUD-T_SHORT_MD5_T" } } b854220d8a04d107a8ecabde8824b73b0Z                                                 h8i9j0k1l2m3n4o5p6q7192.168.4.198i9j0k1l2m3n4o5p6q7r8 1768898479726IdentityIdentityProtectionEvent AUD-T_SHORT_MD5_TIdentityProtectionEvent 9                                 
2026-01-20T08:41:20  auto-dashboard-queriessiem-connector   QTsJCoPniAANCCdKBxWdooCq_14_196_17688984802026-01-20T08:41:21{"metadata":{ "eventType":"UserActivityAuditEvent","eventCreationTime":"1768898480499","customerIDString":"j0k1l2m3n4o5p6q7r8s9" }, "event":{"UserId":"andersonk","ComputerName":"PROD-FILE01","ServiceName":"CrowdStrike Authentication", "AuditKeyValues":[{"Key":"AUD-7f92e3b1","Value":"Modified rule FW-3782 in policy 'Corporate Perimeter Defense'"},{"Key":"AUD-c45d8a6e","Value":"Added exception for host 192.168.45.12 to policy 'Data Center Access'"},{"Key":"AUD-21b9f037","Value":"Deleted user account 'mwilliams' from Active Directory group 'Finance-Users'"}]}} b854220d8a04d107a8ecabde8824b73b0Z                          AUD-7f92e3b1Modified rule FW-3782 in policy 'Corporate Perimeter Defense' AUD-c45d8a6eAdded exception for host 192.168.45.12 to policy 'Data Center Access' AUD-21b9f037Deleted user account 'mwilliams' from Active Directory group 'Finance-Users' PROD-FILE01      CrowdStrike Authentication andersonk       j0k1l2m3n4o5p6q7r8s91768898480499 UserActivityAuditEvent                                      
2026-01-20T08:41:21  auto-dashboard-queriessiem-connector   QTsJCoPniAANCCdKBxWdooCq_14_197_17688984812026-01-20T08:41:21{"metadata":{ "eventType":"UserActivityAuditEvent","eventCreationTime":"1768898481267","customerIDString":"k1l2m3n4o5p6q7r8s9t0" }, "event":{"UserId":"bakerm","ComputerName":"PROD-SQL01","OperationName":"create_policy", "AuditKeyValues":[{"Key":"AUD-9e3d5c8a","Value":"Changed password expiration policy from 60 to 45 days"},{"Key":"AUD-56f1a7d2","Value":"Exported configuration backup of firewall cluster 'edge-fw-01'"}]}} b854220d8a04d107a8ecabde8824b73b0Z                          AUD-9e3d5c8aChanged password expiration policy from 60 to 45 days AUD-56f1a7d2Exported configuration backup of firewall cluster 'edge-fw-01'    PROD-SQL01     create_policy  bakerm       k1l2m3n4o5p6q7r8s9t01768898481267 UserActivityAuditEvent                                      

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[/Filter/] 4[\Add Field/] 5["Expression"] 6@{ shape: win-pane, label: "Table" } result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> 5 5 --> 6 6 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    metadata.eventType = UserActivityAuditEvent

    Filters for events where metadata.eventType equals UserActivityAuditEvent.

  3. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[/Filter/] 4[\Add Field/] 5["Expression"] 6@{ shape: win-pane, label: "Table" } result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> 5 5 --> 6 6 --> result style 2 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | event.OperationName = *

    Further filters to include only events that have an event.OperationName field.

  4. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[/Filter/] 4[\Add Field/] 5["Expression"] 6@{ shape: win-pane, label: "Table" } result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> 5 5 --> 6 6 --> result style 3 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | metadata.customerIDString = *

    Further filters to include only events that have a metadata.customerIDString field.

  5. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[/Filter/] 4[\Add Field/] 5["Expression"] 6@{ shape: win-pane, label: "Table" } result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> 5 5 --> 6 6 --> result style 4 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | akey0:=event.AuditKeyValues[0].Key
                | aval0:=event.AuditKeyValues[0].ValueString
                | akey1:=event.AuditKeyValues[1].Key
                | aval1:=event.AuditKeyValues[1].ValueString
                | akey2:=event.AuditKeyValues[2].Key
                | aval2:=event.AuditKeyValues[2].ValueString
                | akey3:=event.AuditKeyValues[3].Key
                | aval3:=event.AuditKeyValues[3].ValueString
                | akey4:=event.AuditKeyValues[4].Key
                | aval4:=event.AuditKeyValues[4].ValueString
                | akey5:=event.AuditKeyValues[5].Key
                | aval5:=event.AuditKeyValues[5].ValueString
                | akey6:=event.AuditKeyValues[6].Key
                | aval6:=event.AuditKeyValues[6].ValueString
                | akey7:=event.AuditKeyValues[7].Key
                | aval7:=event.AuditKeyValues[7].ValueString
                | akey8:=event.AuditKeyValues[8].Key
                | aval8:=event.AuditKeyValues[8].ValueString
                | akey9:=event.AuditKeyValues[9].Key
                | aval9:=event.AuditKeyValues[9].ValueString
                | akey10:=event.AuditKeyValues[10].Key
                | aval10:=event.AuditKeyValues[10].ValueString
                | akey11:=event.AuditKeyValues[11].Key
                | aval11:=event.AuditKeyValues[11].ValueString
                | akey12:=event.AuditKeyValues[12].Key
                | aval12:=event.AuditKeyValues[12].ValueString
                | akey13:=event.AuditKeyValues[13].Key
                | aval13:=event.AuditKeyValues[13].ValueString
                | akey14:=event.AuditKeyValues[14].Key
                | aval14:=event.AuditKeyValues[14].ValueString
                | akey15:=event.AuditKeyValues[15].Key
                | aval15:=event.AuditKeyValues[15].ValueString
                | akey16:=event.AuditKeyValues[16].Key
                | aval16:=event.AuditKeyValues[16].ValueString
                | akey17:=event.AuditKeyValues[17].Key
                | aval17:=event.AuditKeyValues[17].ValueString
                | akey18:=event.AuditKeyValues[18].Key
                | aval18:=event.AuditKeyValues[18].ValueString
                | akey19:=event.AuditKeyValues[19].Key
                | aval19:=event.AuditKeyValues[19].ValueString
                | akey20:=event.AuditKeyValues[20].Key
                | aval20:=event.AuditKeyValues[20].ValueString

    Creates new fields to store audit key-value pairs from the event data. Each audit key and its corresponding value from the event.AuditKeyValues array is assigned to numbered fields (0-20) for display in the final table.

  6. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[/Filter/] 4[\Add Field/] 5["Expression"] 6@{ shape: win-pane, label: "Table" } result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> 5 5 --> 6 6 --> result style 5 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | rename(metadata.customerIDString, as="Customer ID")
                | User := rename(event.UserId)
                | UserIP := rename(event.UserIp)
                | Service:=event.ServiceName
                | Operation:=event.OperationName

    Renames fields for better readability in the output table. The rename() function creates new fields with more user-friendly names for customer ID, user information, and operation details.

  7. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[/Filter/] 4[\Add Field/] 5["Expression"] 6@{ shape: win-pane, label: "Table" } result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> 5 5 --> 6 6 --> result style 6 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | table([@timestamp,"Customer ID",User,UserIP,Service,Operation,akey0,aval0,akey1,aval1,akey2,aval2,akey3,aval3,akey4,aval4,akey5,aval5,akey6,aval6,akey7,aval7,akey8,aval8,akey9,aval9,akey10,aval10])

    Creates a table view showing the specified fields in order. The table() function formats the output as a table with columns for timestamp, customer information, user details, service information, operation type, and the first 10 pairs of audit keys and values.

  8. Event Result set.

Summary and Results

The widget is used to provide a detailed view of user activity events with associated metadata and audit information.

This widget is useful to investigate user activities, track operations performed, and review audit details across different customers and services.

Sample output from the incoming example data:

json
[{"akey0":"scheduled_report_id","aval1":"123456781234567812345678","UserIP":"192.168.2.143","aval2":"detection_summary","Customer ID":"a1b2c3d4e5f6g7h8i9j0","User":"adamsb","aval0":"123456781234567812345678","akey1":"execution_id","@timestamp":1768898479081,"Service":"scheduled_reports","akey2":"report_metadata.subtype","Operation":"delete_report_execution"},
{"akey0":"AUD-9e3d5c8a","Operation":"create_policy","Customer ID":"k1l2m3n4o5p6q7r8s9t0","User":"bakerm","akey1":"AUD-56f1a7d2","@timestamp":1768898481267},
{"akey0":"AUD-0c8b3e9f","Customer ID":"l2m3n4o5p6q7r8s9t0u1","User":"blackj","akey1":"AUD-d4a7c2e5","@timestamp":1768898482042,"akey2":"AUD-38f6b1d9","Operation":"update_policy"},
{"akey0":"scheduled_report_id","aval1":"345678903456789034567890","UserIP":"192.168.1.178","aval2":"user_activity","Customer ID":"r8s9t0u1v2w3x4y5z6a7","User":"clarkd","aval0":"345678903456789034567890","akey1":"execution_id","@timestamp":1768898484857,"Service":"detections","akey2":"report_metadata.subtype","Operation":"create_report"},
{"akey0":"AUD-f7b2d9a1","Operation":"assign_policy","Customer ID":"o5p6q7r8s9t0u1v2w3x4","User":"davisr","akey1":"AUD-1d9c4e7b","@timestamp":1768898487088}]

The results are visualized as a table with columns showing timestamp, customer ID, user information, service details, operation type, and associated audit key-value pairs.