diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml
index 3b9d00b70..242050f98 100644
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -116,14 +116,14 @@ soc:
         - soc_timestamp
         - event.dataset
         - http_request.headers.x-real-ip
-        - identity_id
+        - user.name
         - http_request.headers.user-agent
         - msg
       ':hydra:':
         - soc_timestamp
         - event.dataset
         - http_request.headers.x-real-ip
-        - identity_id
+        - user.name
         - http_request.headers.user-agent
         - msg
       '::conn':
@@ -1605,7 +1605,7 @@ soc:
               showSubtitle: true
             - name: SOC - Auth
               description: Users authenticated to SOC grouped by IP address and identity
-              query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby http_request.headers.x-real-ip identity_id'
+              query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby http_request.headers.x-real-ip user.name'
               showSubtitle: true
             - name: SOC - App
               description: Logs generated by the Security Onion Console (SOC) server and modules