Visualize Events by Event Type in Bar Chart

Display event distribution by metadata event type in bar chart format

This is a query example for the Events by eventtype widget in the Summary Dashboard dashboard of the crowdstrike/siem-connector package.

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3["Expression"] result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result
logscale
metadata.customerIDString = *
| metadata.eventType!=ReconNotificationSummary*
| groupBy(metadata.eventType)

Introduction

This widget is used to create a bar chart visualization showing the distribution of events across different event types, excluding reconnaissance notifications.

In this widget, the groupBy() function is used to aggregate events by their metadata event type, providing data for a bar chart visualization where each bar represents an event type's frequency.

Example incoming data might look like this:

@timestamp#repo#type@id@ingesttimestamp@rawstring@timestamp.nanos@timezoneevent.ComputerNameevent.DetectDescriptionevent.DetectNameevent.LocalIPevent.Objectiveevent.SensorIdevent.SeverityNameevent.Tacticevent.Techniqueevent.UserNamemetadata.customerIDStringmetadata.eventCreationTimemetadata.eventType
2026-01-12T10:22:45auto-dashboard-queriessiem-connectorQTsJCoPniAANCCdKBxWdooCq_3_300_17682133652026-01-12T10:22:45{"metadata":{ "eventType":"DetectionSummaryEvent","eventCreationTime":"1768213365060", "customerIDString":"a1b2c3d4e5f6g7h8i9j0" }, "event":{"SeverityName":"Medium", "DetectName":"Suspicious PowerShell Command Line","ComputerName":"PROD-WEB01","UserName":"adamsb","SensorId":"b2c3d4e5f6g7h8i9j0k1","LocalIP":"192.168.2.143","Tactic":"Execution","Technique":"T1059.001 - PowerShell","DetectDescription":"Detected suspicious PowerShell command execution with encoded arguments","Objective":"Command and Control"}} 86beba81b4553c59c7a125eea1100bca0ZPROD-WEB01Detected suspicious PowerShell command execution with encoded argumentsSuspicious PowerShell Command Line192.168.2.143Command and Controlb2c3d4e5f6g7h8i9j0k1MediumExecutionT1059.001 - PowerShelladamsba1b2c3d4e5f6g7h8i9j01768213365060DetectionSummaryEvent
2026-01-12T10:22:45auto-dashboard-queriessiem-connectorQTsJCoPniAANCCdKBxWdooCq_3_301_17682133652026-01-12T10:22:46{"metadata":{ "eventType":"DetectionSummaryEvent","eventCreationTime":"1768213365928", "customerIDString":"c3d4e5f6g7h8i9j0k1l2" }, "event":{"SeverityName":"Low", "DetectName":"Suspicious Registry Modification","ComputerName":"PROD-APP02","UserName":"andersonk","SensorId":"d4e5f6g7h8i9j0k1l2m3","LocalIP":"192.168.0.87","Tactic":"Credential Access","Technique":"T1003.001 - LSASS Memory","DetectDescription":"Detected potential credential dumping from LSASS memory","Objective":"Credential Theft"}} 86beba81b4553c59c7a125eea1100bca0ZPROD-APP02Detected potential credential dumping from LSASS memorySuspicious Registry Modification192.168.0.87Credential Theftd4e5f6g7h8i9j0k1l2m3LowCredential AccessT1003.001 - LSASS Memoryandersonkc3d4e5f6g7h8i9j0k1l21768213365928DetectionSummaryEvent
2026-01-12T10:22:46auto-dashboard-queriessiem-connectorQTsJCoPniAANCCdKBxWdooCq_3_302_17682133662026-01-12T10:22:47{"metadata":{ "eventType":"DetectionSummaryEvent","eventCreationTime":"1768213366748", "customerIDString":"e5f6g7h8i9j0k1l2m3n4" }, "event":{"SeverityName":"High", "DetectName":"Credential Dumping via Mimikatz","ComputerName":"PROD-DB01","UserName":"bakerm","SensorId":"f6g7h8i9j0k1l2m3n4o5","LocalIP":"192.168.3.211","Tactic":"Lateral Movement","Technique":"T1021.002 - SMB/Windows Admin Shares","DetectDescription":"Detected suspicious access to administrative shares","Objective":"Internal Reconnaissance"}} 86beba81b4553c59c7a125eea1100bca0ZPROD-DB01Detected suspicious access to administrative sharesCredential Dumping via Mimikatz192.168.3.211Internal Reconnaissancef6g7h8i9j0k1l2m3n4o5HighLateral MovementT1021.002 - SMB/Windows Admin Sharesbakerme5f6g7h8i9j0k1l2m3n41768213366748DetectionSummaryEvent
2026-01-12T10:22:47auto-dashboard-queriessiem-connectorQTsJCoPniAANCCdKBxWdooCq_3_303_17682133672026-01-12T10:22:48{"metadata":{ "eventType":"DetectionSummaryEvent","eventCreationTime":"1768213367566", "customerIDString":"g7h8i9j0k1l2m3n4o5p6" }, "event":{"SeverityName":"Critical", "DetectName":"Suspicious Service Creation","ComputerName":"PROD-FILE01","UserName":"blackj","SensorId":"h8i9j0k1l2m3n4o5p6q7","LocalIP":"192.168.1.54","Tactic":"Defense Evasion","Technique":"T1078.002 - Domain Accounts","DetectDescription":"Detected authentication using potentially compromised domain account","Objective":"Privilege Escalation"}} 86beba81b4553c59c7a125eea1100bca0ZPROD-FILE01Detected authentication using potentially compromised domain accountSuspicious Service Creation192.168.1.54Privilege Escalationh8i9j0k1l2m3n4o5p6q7CriticalDefense EvasionT1078.002 - Domain Accountsblackjg7h8i9j0k1l2m3n4o5p61768213367566DetectionSummaryEvent
2026-01-12T10:22:48auto-dashboard-queriessiem-connectorQTsJCoPniAANCCdKBxWdooCq_3_304_17682133682026-01-12T10:22:49{"metadata":{ "eventType":"DetectionSummaryEvent","eventCreationTime":"1768213368386", "customerIDString":"i9j0k1l2m3n4o5p6q7r8" }, "event":{"SeverityName":"Medium", "DetectName":"Lateral Movement via WMI","ComputerName":"PROD-SQL01","UserName":"brownr","SensorId":"j0k1l2m3n4o5p6q7r8s9","LocalIP":"192.168.4.198","Tactic":"Persistence","Technique":"T1053.005 - Scheduled Task","DetectDescription":"Detected suspicious scheduled task creation for persistence","Objective":"Persistence Establishment"}} 86beba81b4553c59c7a125eea1100bca0ZPROD-SQL01Detected suspicious scheduled task creation for persistenceLateral Movement via WMI192.168.4.198Persistence Establishmentj0k1l2m3n4o5p6q7r8s9MediumPersistenceT1053.005 - Scheduled Taskbrownri9j0k1l2m3n4o5p6q7r81768213368386DetectionSummaryEvent

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3["Expression"] result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    metadata.customerIDString = *

    Filters for events that have a metadata.customerIDString field.

  3. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3["Expression"] result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result style 2 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | metadata.eventType!=ReconNotificationSummary*

    Excludes events where metadata.eventType matches ReconNotificationSummary.

  4. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3["Expression"] result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result style 3 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | groupBy(metadata.eventType)

    Groups events by their event type in the metadata and counts the occurrences of each type to create bars in the chart visualization.

  5. Event Result set.

Summary and Results

The widget is used to create a bar chart showing the distribution of different event types in the environment.

This widget is useful to visually monitor the volume of different event types and identify unusual patterns in event type distribution through bar chart representation.

Sample output from the incoming example data:

_countmetadata.eventType
100DetectionSummaryEvent

the output data is visualized a bar chart where each event type is represented by a bar, with the height corresponding to the count value.

Example of a Events by Eventtype widget