Hi @ol3k,
Not all events contain the request_body attribute. In this case, access_granted events do not. Look at the authentication_* events (if you have enabled them). The reason is that the REST request content is gone by the time actions are authorized (access_granted events).
Arguably the docs for this are in development, https://www.elastic.co/guide/en/x-pack/current/auditing.html#audit-event-attributes, but they are accurate for you present enquiry.