Onboarding and Self-Service


Arctic Wolf Unified Portal Data Exploration

Updated Jan 26, 2024

Run an analyzed event log search

Data Explorer allows you to search analyzed event logs from the Arctic Wolf® observation pipeline. After running a search, Data Explorer provides a consolidated view of all machine analyzed and parsed logs across multiple log sources that match your search expression. You can search the entire database or limit your search to specific database fields:

Search the entire database for analyzed event logs

  1. Sign in to the Arctic Wolf Unified Portal.

  2. Click Data Exploration > Data Explorer.

  3. (Optional) Edit the date range to limit or expand your search.

    Tip: The default range is the past 24 hours. But, you can search up to 10 days of event log data at a time.

  4. In the Add Search Fields section, in the Search field, enter a search term.

  5. Click Apply Filters.

    Search results appear in the Event Logs table.

  6. (Optional) Complete any of these actions:

Search specific database fields for analyzed event logs

In Data Explorer, you can limit your search to specific database fields.

For each field set or field that you want to search, complete these steps:

  1. Sign in to the Arctic Wolf Unified Portal.

  2. Click Data Exploration > Data Explorer.

  3. (Optional) Edit the date range to limit or expand your search. For example, in the IP Address box, enter 8.8.8.8.

    Tip: The default range is the past 24 hours. But, you can search up to 10 days of event log data at a time.

  4. In the Add Search Fields section, click the Search Fields (10 maximum) checkbox.

  5. Enter a partial or complete search term. For example, host.

    As you type, a list of options that match your search term appears.

  6. In the list, select a field set or field.

  7. In the recently added field set or field, add one or more search terms.

    Tips:

    • A field set allows you to search a group of related database fields. Field sets are written in title case, for example, IP Address, and are listed before individual database fields.

    • Individual database fields are written in lower case and include periods and underscores. For example, remote.registered_domain.

    • Data Explorer uses this Boolean logic:

      • If you search for multiple values in the same database field, Data Explorer adds the OR Boolean operator between each value.
      • If your search includes multiple database fields, Data Explorer adds the AND Boolean operator between search expressions for each database field.

      See Data Explorer fields for more information.

  8. Click Apply Filters.

  9. (Optional) Complete any of these actions:

Edit columns in the Event Logs table

  1. Run an analyzed event log search.

  2. Click Columns.

  3. Select the checkboxes for the fields that you want to make visible in the Event Logs table.

  4. Click Apply.

    The fields that you selected are added to the Event Logs table.

Create a custom column set

  1. Run an analyzed event log search.
  2. Edit columns in the Event Logs table.
  3. Click Save Columns.
  4. Review the column set.
  5. Click Save.

Apply a custom column set

If you previously created a custom column set, you can edit the columns in Event Logs table to the custom column set. See Create a custom column set for more information.

  1. Run an analyzed event log search.
  2. Click Load Columns.
  3. Select a custom column set.
  4. Click Load.

Export Data Explorer search results

  1. Run an analyzed event log search.
  2. Click Export to download your search results.

    Note: You can export up to 100,000 analyzed log entries. Contact your Concierge Security® Team (CST) at security@arcticwolf.com to export a larger dataset.

View complete data for an event log

  1. Run an analyzed event log search.

  2. For any row in the Event Logs table, in the View Event Log column, click View More.

  3. (Optional) To copy event log data:

    1. In the Format section, make sure that Table is selected.

    2. In the table, select the checkboxes for the field values that you want to copy.

      Event log data is copied in JSON format by default.

    3. (Optional) To copy event log data in raw format, in the Format section, select Raw.

    4. Click Copy event to clipboard.

  4. (Optional) To make columns visible in the Event Logs table:

    1. In the Format section, make sure that Table is selected.

    2. In the table, select the checkboxes for the fields that you want to make visible in the Event Logs table.

    3. Click Apply Columns.

      The fields that you selected are added to the Event Logs table.