Raw Log Search

User Guide

Updated Mar 17, 2023

Raw Log Search

Raw Log Search Direct link to this section

Raw Log Search is a licensed Managed Detection and Response (MDR) add-on feature that lets you query the Arctic Wolf platform, which stores an aggregation of raw log data from your on-premises systems and cloud services. This feature allows you to build queries for operational and security-related tasks, such as validating a configuration change or investigating a security alert.

Tip: You can also query the Arctic Wolf observation pipeline for parsed and analyzed event logs. See View event logs in the Arctic Wolf Unified Portal User Guide for details.

Run a search query Direct link to this section

  1. From the MDR Dashboard menu bar, click Logs.

  2. (Optional) Select a preset search query:

    1. Select an option from the Examples list.
    2. If prompted, enter the required search criteria, for example, a username.
    3. Click Apply to add the query the Search field.
  3. (Optional) Limit your search to log sources that have a specific tag:

    1. Click the Log Source field.

    2. Add one or more tags from the list. For example, select active directory and auth to only include log sources with the active directory tag and log sources with the auth tag.

      Tip: See Log source tags for more information.

  4. (Optional) Set the desired time range.

    Note: The oldest log data that you can search is based on your data retention policy. By default, data sent to Arctic Wolf prior to January 2019 is not searchable. If your data retention period begins before January 2019 and you would like to search your full history, contact your Concierge Security® Team (CST).

  5. (Optional) In the Search field, enter or modify your search query.

    Tip: See the Raw Log Search Query Guide for more information about syntax.

  6. Select or deselect the Case sensitive option.

  7. Click Search.

A timeline graph and a table of matching log sources loads when the query is complete.

Search results Direct link to this section

Search results are displayed in a table. If there are more than 500 results for your query, the results are divided into multiple pages of 500 results per page. Click the navigation arrows to move between pages.

The search results table includes these columns:

Column Description
Timestamp (UTC) The timestamp for when this log line was sent to the Arctic Wolf platform.
Sensor The Arctic Wolf appliance or cloud sensor that sent the log data to the Arctic Wolf platform.
Source The source of the log data.
Event The log data that matched your query.

Tip: Click a table entry to view the complete log data.

Export search results Direct link to this section

After running a search query:

  1. Click Export, and then select an export option:
    • Single zipped file — Download all results into a single zipped file.
    • One zipped file per day — Download multiple zipped files, one for each day included in the time range.
  2. When compression is complete, click Download Results.

Drill down into data Direct link to this section

After running a search query, do one or both of the following:

If you need further assistance drilling into data, contact your CST.

View Search Activity Direct link to this section

  1. From the MDR Dashboard menu bar, click Logs.
  2. Click Search Activity to switch tabs.
  3. (Optional) Apply filters to narrow the list of saved search queries:
    • In the Filter box, enter a key word related to the query.
    • From the Run by list, select the user who created the query.

Note: Your raw log search history includes searches that your CST runs on your behalf.

The Search History table has these columns:

Column Description
Run by Who ran the search and when.
Search The search term and parameters, which includes the log sources specified and the time range.
Status Whether the search was complete and if the data was exported, the number of logs that matched the search query, and the volume of data.
Actions The actions that you can take on a saved search:
  • Click Delete to remove a search query from the search history.
  • Click Export, and then select an export option. See Export search results for details.
  • Click View Search to run the search query.

View Log Sources Direct link to this section

  1. From the MDR Dashboard menu bar, click Logs.

  2. Click Log Sources to switch tabs.

  3. (Optional) To narrow the list of log sources, enter the keyword or the name of a tag in the Filter box.

    Tip: See Raw log source tags for details.

Log source tags Direct link to this section

Tags are a convenient way to organize your log sources for future searches. You can create custom tags to group log sources. For example, you might group log sources by:

There are also system-assigned tags that you add to a search query. These tags are automatically assigned to your log sources based on the parser configured in the Arctic Wolf system.

Tags are listed in the Assigned Tags column.

Note:

Tag log sources Direct link to this section

  1. From the MDR Dashboard menu bar, click Logs.

  2. Click Log Sources to switch tabs.

  3. (Optional) To narrow the list of log sources, enter the keyword or the name of a tag in the Filter box.

    Tip: See Raw log source tags for details.

  4. Select the log sources that you want to tag.

  5. Click the Add Tag text field to select an existing tag or enter the name of a new custom tag.

    Note: You cannot manually add a system-assigned tag to a log source. If there are log sources that are missing firewall or Active Directory log sources that do not have the respective firewall or active directory tags, contact your CST.

  6. Click Add Tag.

The custom tag appears in the Assigned Tags column for the log sources that you selected.

Remove a tag from multiple log sources Direct link to this section

  1. From the MDR Dashboard menu bar, click Logs.

  2. Click Log Sources to switch tabs.

  3. (Optional) To narrow the list of log sources, enter the keyword or the name of a tag in the Filter box.

    Tip: See Raw log source tags for details.

  4. Click the Remove Tag text field and enter the name of the tag that you want to remove.

  5. Select the log sources that you want to remove the tag from.

  6. Click Remove Tag.

See also Direct link to this section