My ESM has just recently started doing something that I have never seen before. Typically when I go to look at my incidents dashboard, I see an event listed with a red square beside it as well as a plus beside it. When expanded it usually shows a couple of sub-events that are listed with a green square. I can usually click on one of events labled with green and then click on the packet tab and actually see a packet. Recently, I have began to notice that when I click on a primary event it may have sub-events with red and green listed sub events. I can still see a packet when I click on a green sub-event but when clicking on a red and then the packet tab shows me what appears to be the code for some XML page. I have no idea why it is doing that but it seems like it contains the event description, variables, etc. Anyone have any ideas on this one?
You should know that the "packet" tab in the event details is not packet data like you'd expect when sniffing network traffic. It is actually the raw log from the data source as it came to the SIEM.
The greend and red boxes you're referring to are the severity of the event (be it an actual log, or correlation rule that triggered).