@taltsafrir if the credentials used in the query are successfully authenticated/authorized, audit_request_effective_user should indeed give you the username that triggered the query
To control whether the request body is present in the audit logs you can change the value of:
plugins.security.audit.log_request_body: false
Also, during a short period (during your investigation) you could consider not excluding any of the Audit Log categories:
plugins.security.audit.config.disabled_rest_categories: NONE