Count Identity Protection Events

Track the total number of identity protection events

This is a query example for the Identity Protection Events widget in the Summary Dashboard dashboard of the crowdstrike/siem-connector package.

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1@{ shape: doc, label: "Source or File" } 2[/Filter/] 3{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result
logscale
*
| metadata.eventType=IdentityProtectionEvent
| count()

Introduction

This widget is used to display the total count of identity protection events in the system.

In this widget, the count() function is used to calculate the total number of identity protection events.

Example incoming data might look like this:

@timestamp#error#humioBackfill#repo#type@error@error_msg@error_msg[0]@id@ingesttimestamp@rawstring@timestamp.nanos@timezoneevent.AgentIdStringevent.Attributes.execution_idevent.Attributes.report_metadata.subtypeevent.Attributes.scheduled_report_idevent.AuditKeyValues[0].Keyevent.AuditKeyValues[0].ValueStringevent.AuditKeyValues[1].Keyevent.AuditKeyValues[1].ValueStringevent.AuditKeyValues[2].Keyevent.AuditKeyValues[2].ValueStringevent.CustomerIdStringevent.EventTypeevent.EventUUIDevent.ExternalAPITypeevent.Nonceevent.OperationNameevent.ServiceNameevent.UTCTimestampevent.UserIdevent.UserIpevent.cidevent.eidevent.timestampmetadata.aidmetadata.aipmetadata.cidmetadata.customerIDStringmetadata.eventCreationTimemetadata.eventPlatformmetadata.eventTypemetadata.idmetadata.namemetadata.offsetmetadata.severitymetadata.version
2026-01-20T08:44:43true0auto-dashboard-queriessiem-connectortruetimestamp was not set to a value after 1971. Setting it to nowtimestamp was not set to a value after 1971. Setting it to nowsd6u8WImB06fMtTL7gzFlqYX_2_13_17688986832026-01-20T08:44:43{"metadata":{"eventType":"UserActivityAuditEvent","eventCreationTime":1710340124,"offset":341.111,"customerIDString":"a1b2c3d4e5f6g7h8i9j0","version":"1.0"},"event":{"UserId":"adamsb","UserIp":"192.168.2.143","OperationName":"delete_report_execution","ServiceName":"scheduled_reports","AuditKeyValues":[{"Key":"scheduled_report_id","ValueString":"123456781234567812345678"},{"Key":"execution_id","ValueString":"123456781234567812345678"},{"Key":"report_metadata.subtype","ValueString":"detection_summary"}],"UTCTimestamp":1710343724,"Attributes":{"execution_id":"234567892345678923456789","report_metadata.subtype":"host_inventory","scheduled_report_id":"234567892345678923456789"},"CustomerIdString":"b2c3d4e5f6g7h8i9j0k1","Nonce":1,"AgentIdString":"12345678123456781234567812345678","EventUUID":"12345678-1234-5678-1234-123456781234","cid":"c3d4e5f6g7h8i9j0k1l2","eid":118,"timestamp":"2025-03-13:15:48:44 +0000","EventType":"Event_ExternalApiEvent","ExternalAPIType":"Event_UserActivityAuditEvent"}} c8976e33e73b8bffbf1cefbb7e6f84030Z12345678123456781234567812345678234567892345678923456789host_inventory234567892345678923456789scheduled_report_id123456781234567812345678execution_id123456781234567812345678report_metadata.subtypedetection_summaryb2c3d4e5f6g7h8i9j0k1Event_ExternalApiEvent12345678-1234-5678-1234-123456781234Event_UserActivityAuditEvent1delete_report_executionscheduled_reports1710343724adamsb192.168.2.143c3d4e5f6g7h8i9j0k1l21182025-03-13:15:48:44 +0000   a1b2c3d4e5f6g7h8i9j01710340124 UserActivityAuditEvent  341.111 1.0
2026-01-20T08:44:44  auto-dashboard-queriessiem-connector   QTsJCoPniAANCCdKBxWdooCq_14_283_17688986842026-01-20T08:44:45{ "metadata":{ "eventCreationTime":"1768898684540", "eventPlatform": "Identity", "eventType": "IdentityProtectionEvent", "name": "IdentityProtectionEvent", "severity": "9", "aid": "h8i9j0k1l2m3n4o5p6q7", "aip": "192.168.4.198", "cid": "i9j0k1l2m3n4o5p6q7r8", "id": "AUD-T_SHORT_MD5_T" } } c8976e33e73b8bffbf1cefbb7e6f84030Z                       h8i9j0k1l2m3n4o5p6q7192.168.4.198i9j0k1l2m3n4o5p6q7r8 1768898684540IdentityIdentityProtectionEventAUD-T_SHORT_MD5_TIdentityProtectionEvent 9 

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1@{ shape: doc, label: "Source or File" } 2[/Filter/] 3{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    *

    Selects all events in the data stream.

  3. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1@{ shape: doc, label: "Source or File" } 2[/Filter/] 3{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result style 2 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | metadata.eventType=IdentityProtectionEvent

    Filters events to include only those where metadata.eventType equals IdentityProtectionEvent. From the sample data, this will capture events with high severity (9) and identity platform events.

  4. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1@{ shape: doc, label: "Source or File" } 2[/Filter/] 3{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result style 3 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | count()

    Counts the total number of matching events. The count() function returns the result in a field named _count.

  5. Event Result set.

Summary and Results

The widget is used to monitor the volume of identity protection events occurring in the system.

This widget is useful to track the frequency of identity-related security events and identify potential spikes in identity protection incidents that have high severity ratings.

Sample output from the incoming example data:

_count
13