This query provides a pointmap of usernames successfully logging into F5 boxes via the latest RCE:
tag=<your F5 restjavad log tag> words User successfully logged
| regex "User (?P<user>\S+) successfully logged in from (?P<ip>\S+) using"
| geoip ip.Location
| pointmap user
Additional information available at: https://research.nccgroup.com/2021/03/18/rift-detection-capabilities-for-recent-f5-big-ip-big-iq-icontrol-rest-api-vulnerabilities-cve-2021-22986/