Raw Log Search

Updated Feb 16, 2024

Raw Log Search

Raw Log Search is a licensed Managed Detection and Response (MDR) add-on feature that lets you search the Arctic Wolf® platform, which stores an aggregation of raw log data from your on-premises systems and cloud services. This feature allows you to retrieve logs in raw format for operational and security-related tasks. For example, validating a configuration change or investigating a security alert.

Tip: You can also search the Arctic Wolf observation pipeline for parsed and analyzed event logs. See View login events for more information.

Tip: You can run a concurrent search in a new browser tab or window.

  1. Sign in to the Arctic Wolf Unified Portal.

  2. Click Data Exploration > Raw Log Search.

  3. (Optional) Limit your search to log sources that have a specific tag:

    1. Click the Log Source field.

    2. Add one or more tags from the list. For example, select active directory and auth to only include log sources with the active directory tag and log sources with the auth tag.

      See Log source tags for more information.

  4. (Optional) Set the desired time range.

    Notes:

    • You can search up to 31 days of log data at a time.
    • The earliest log data that you can search is based on your data retention policy.
    • By default, data sent to Arctic Wolf prior to January 2019 is not searchable. If your data retention period begins before January 2019 and you would like to search your full history, contact your Concierge Security® Team (CST) at security@arcticwolf.com.
  5. (Optional) Choose a log from a list of frequently run searches:

    1. In the Query Template list, select a frequently run search.
    2. If prompted, enter the value that completes the search expression. For example, in the Login Successes for User template, enter a user ID.
    3. Click Apply to add the search expression to the Search field.
  6. (Optional) In the Search field, enter or modify the search expression.

    Tip: See Raw Log Search Expression Syntax Guide for more information.

  7. Select or deselect the Case sensitive option.

  8. Click Search.

    A timeline graph and a table of matching log sources loads when the search is complete.

Search results

The search results table includes these columns:

Column Description
Timestamp The timestamp for when this log line was sent to the Arctic Wolf platform.
Sensor The Arctic Wolf appliance or cloud sensor that sent the log data to the Arctic Wolf platform.
Source The source of the log data.
Event The log data that matched your search criteria.

Tips:

  • Click a table entry to view the complete log data.
  • When a search is complete, the results are saved for 14 days. Retrieving saved search results is faster than running the same search again. See View past search results for more information.

Export search results

  1. Run a search.
  2. Click Export, and then select an export option:
    • Single CSV file — Download all results into a single zip file.
    • One CSV file per day — Download one zip file for each day included in the time range.
  3. When compression is complete, click Download Results.

Notes:

  • You can export up to 500,000 raw log entries. To export a larger dataset, contact your CST at security@arcticwolf.com.
  • In exported CSV files, dates are in UTC.

Refine search data

  1. Run a search.
  2. Do one or both of these actions:
    • (Optional) Limit the time range of your search:
      1. Click and drag the end points of the timeline graph to modify the date range.
      2. Click Update time range.
    • (Optional) Limit the scope of your search.
      1. In the Search field, enter conditional logic to your search expression.

        See Raw Log Search Expression Syntax Guide for more information.

      2. Click Search.

For more assistance, contact your CST at security@arcticwolf.com.

View past search results

  1. Sign in to the Arctic Wolf Unified Portal.

  2. In the menu bar, click Data Exploration > Raw Log History.

  3. (Optional) Apply any of these filters to limit the list of saved searches:

    • In the Filter field, enter a keyword that might be in the search expression.
    • From the Run by list, select the user who ran the search.
  4. Review the log search history for your organization. This history includes searches that your CST runs on your behalf.

    The Search History table has these columns:

    Column Description
    Search The search that was run:
    • Search: The search expression.
    • Time: The date and time range that the search was limited to.
    • Sources: The log sources included in the search.
    Run by Who ran the search and when.
    Details The number of logs that matched the search expression and the volume of data.
    Actions The actions that you can take for a saved search.
  5. To load the results of a past search, click View Search.

View Log Sources

  1. Sign in to the Arctic Wolf Unified Portal.

  2. Click Data Exploration > Raw Log Sources.

  3. (Optional) To limit the list of log sources, in the Filter field, enter the keyword or the name of a tag.

    See Log source tags for more information.

Log source tags

Tags are a convenient way to organize your log sources for future searches. You can create custom tags to group log sources. For example, you can group log sources by these tags:

There are also system-assigned tags that you use to refine your search. These tags are automatically assigned to your log sources based on the parser configured in the Arctic Wolf system.

Tags are listed in the Assigned Tags column.

Notes:

  • If the tag is a custom tag, you can click X to remove the tag from a log source.
  • If the tag is system-assigned, you cannot remove or duplicate it.
  • You cannot manually add a system-assigned tag to a log source. If a log source is missing firewall or Active Directory log sources and it does not have the related firewall or active directory tags, contact your CST at security@arcticwolf.com.

Add a tag to multiple log sources

  1. Sign in to the Arctic Wolf Unified Portal.

  2. Click Data Exploration > Raw Log Sources.

  3. (Optional) To limit the list of log sources, in the Filter field, enter the keyword or the name of a tag.

    See Log source tags for more information.

  4. Select the log sources that you want to tag.

  5. Click the Select or Create a Custom Tag field, and then enter the name of a new custom tag or select an existing custom tag.

    Note: You cannot manually add a system-assigned tag to a log source. If a log source is missing firewall or Active Directory log sources and it does not have the related firewall or active directory tags, contact your CST at security@arcticwolf.com.

  6. Click Add Tag.

    The custom tag appears in the Assigned Tags column for the log sources that you selected.

Remove a tag from multiple log sources

  1. Sign in to the Arctic Wolf Unified Portal.

  2. Click Data Exploration > Raw Log Sources.

  3. (Optional) To limit the list of log sources, in the Filter field, enter the keyword or the name of a tag.

    See Log source tags for more information.

  4. Click the Delete a Custom Tag field, and then enter the name of the tag that you want to remove.

  5. Select the log sources that you want to remove the tag from.

  6. Click Delete Tag.

See also