In simple words: event types are more related to your data/events. for example: there could be many types of events in your single source type, windows failed authentications, windows successful authentications. There could be another source which will also give same types of events but different format like application authentication failed logs and application successful logs. you can create 4 event types to easily understand context of your data. event types are created to give context of your data. tags are more related to event types. for example: you can call all those 4 event types authentication logs. tags are not specific to single source events/data. tags are created to give context of your event types. hope this will make sense 🙂
... View more