This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps
Log in to ask a question

Event Color Coding

Posted on 10-19-2023 11:17 PM
deeshu
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

What does this different color (Green, Grey, Red, violet etc..) coding says for an Event? Are there any more ?

deeshu_0-1697782291942.png

@jstoner Is there any kb that covers this topic? I tried finding but no luck.

Solved Solved
0 4 1,545
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
jstoner
Staff
Reply posted on --/--/---- --:-- AM

Yes, think of the color coding as a superset of event_types rolled together. Again the idea is that green (for example) are going to be network-centric events. We do not make control of the color coding an option today. The event_type is shown within the color and I believe the intent was just a quick look at color for grouping purposes. Because of the overall small number of colors versus all of the event_types defined, they will be broader groups. For example those types of events in grey are going to be endpoint-centric.

View solution in original post

Jump to Solution
4 REPLIES 4

Posted on --/--/---- --:-- AM
Chris_B
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Looks like each type of label (e.g. alert or no | description) there's a handful of colors to help differentiate them. I've not yet seen an ability to use colors in another context, or filter a list by the,m - I'd just use the label text.

 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
jstoner
Staff
Reply posted on --/--/---- --:-- AM

Sorry for the delay on this. The color coding is a high level grouping of events of a general type, network type events are one color, process/edr like events would be another, authentication events would be another and so forth. There are handful of these colors, it isn't designed to map 1:1 to every event type but if I am looking for network events or endpoint events, a color grouping quickly pulls the eye toward those colors.

Alerts v Detections have their own color coding as well where alerts are red and detections (which are rule hits) but not creating an alert in queue are blue.

 

Hope this helps!

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
deeshu
Bronze 4
Bronze 4
In response to jstoner
Reply posted on --/--/---- --:-- AM

Thanks, John. Just to be sure the different types of events you are talking about are derived from event.metadata.event_type? like email, file, network, process, registry etc..?

Can we control the color coding? I see different types of events are grouped with the same color, e.g. File and Process are tagged with Grey color. 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
jstoner
Staff
Reply posted on --/--/---- --:-- AM

Yes, think of the color coding as a superset of event_types rolled together. Again the idea is that green (for example) are going to be network-centric events. We do not make control of the color coding an option today. The event_type is shown within the color and I believe the intent was just a quick look at color for grouping purposes. Because of the overall small number of colors versus all of the event_types defined, they will be broader groups. For example those types of events in grey are going to be endpoint-centric.

Jump to Solution
Top Solution Authors
View all