From a8cb18bb2eb3fcae0b012a18983dfc0af8eb6b95 Mon Sep 17 00:00:00 2001
From: Doug Burks <doug.burks@securityonionsolutions.com>
Date: Thu, 8 May 2025 09:09:26 -0400
Subject: [PATCH] Update defaults.yaml to replace remaining instances of
 identity_id with user.name

---
 salt/soc/defaults.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml
index 3b9d00b70..242050f98 100644
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -116,14 +116,14 @@ soc:
         - soc_timestamp
         - event.dataset
         - http_request.headers.x-real-ip
-        - identity_id
+        - user.name
         - http_request.headers.user-agent
         - msg
       ':hydra:':
         - soc_timestamp
         - event.dataset
         - http_request.headers.x-real-ip
-        - identity_id
+        - user.name
         - http_request.headers.user-agent
         - msg
       '::conn':
@@ -1605,7 +1605,7 @@ soc:
               showSubtitle: true
             - name: SOC - Auth
               description: Users authenticated to SOC grouped by IP address and identity
-              query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby http_request.headers.x-real-ip identity_id'
+              query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby http_request.headers.x-real-ip user.name'
               showSubtitle: true
             - name: SOC - App
               description: Logs generated by the Security Onion Console (SOC) server and modules