Search raw logs using Raw Log Scan
When you conduct a search, Google Security Operations first examines the security data that has been ingested, parsed, and normalized. If the information you are searching for is not found in the normalized data, you can use Raw Log Scan to examine the raw unparsed logs. You can also use regular expressions to more closely examine the raw logs.
You can use Raw Log Scan to investigate artifacts that appear in logs, but are not indexed, including:
- Usernames
- Filenames
- Registry keys
- Command-line arguments
- Raw HTTP request-related data
- Domain names based on regular expressions
- Asset namespaces and addresses
Raw log scan
To use Raw Log Scan, enter a search string in the search field on either the landing page or the menu bar (for example, an MD5 hash). Enter at least 4 characters (including wildcards). If Google Security Operations cannot find the search string, it opens the Raw Logs Scan option. Specify the Start Time and End Time (the default is 1 week) and click SEARCH.
Raw Log Scan from the landing page
Events associated with the search string are displayed. You can open the associated raw log by clicking the arrow button.
You can also click the Log Sources drop-down menu and select one or more of the data sources you are sending to Google Security Operations to search. The default setting is All.
Regular expressions
You can use regular expressions to search for and match sets of character strings within your security data using Google Security Operations. Regular expressions enable you to narrow your search down using fragments of information, as opposed to using (for example) a complete domain name.
To run a search using regular expression syntax, enter your search in the Search field with the regular expression, check the Run Query as Regex checkbox, and click SEARCH. Your regular expression must be from 4 to 66 characters long.
Raw Log Scan run as a regular expression
The Google Security Operations's regular expression infrastructure is based on Google RE2, an open-source regular expression engine. Google Security Operations uses the same regular expression syntax. See the RE2 documention for more information.
The following table highlights some of the common regular expression syntaxes you can use for your searches.
Any character | . |
x number of any characters | {x} |
Character class | [xyz] |
Negated character class | [^xyz] |
Alphanumeric (0-9A-Za-z) | [[:alnum:]] |
Alphabetic (A-Za-z) | [[:alpha:]] |
Digits (0-9) | [[:digit:]] |
Lower case (a-z) | [[:lower:]] |
Upper case (A-Z) | [[:upper:]] |
Word characters (0-9A-Za-z_) | [[:word:]] |
Hex digit (0-9A-Fa-f) | [[:xdigit:]] |
The following examples illustrate how you could use this syntax to search across your data:
goo.le\.com
—matchgoogle.com
,goooogle.com
, etc.goo\w{3}\.com
—matchgoogle.com
,goodle.com
,goojle.com
, etc.[[:digit:]]\.[[:alpha:]]
—match34323.system
,23458.office
,897.net
, etc.
Sample regular expressions to search for Windows logs
This section provides regular expression query strings you can use with Google Security Operations raw log scan to find commonly monitored Windows events. These examples assume the Windows log messages are in JSON format.
For more information about commonly monitored Windows Event IDs, see the Events to Monitor topic in Microsoft documentation. The examples provided follow a similar pattern, described in these use cases.
Use Case: Return events with the EventID 1150 | |
Regex String: | \"EventID\"\:\s*1150 |
Values Matched: | "EventID":1150 |
Use Case:Return events with an Event ID that is either 1150 or 1151 | |
Regex String | (?:\"EventID\"\:\s*)(?:1150|1151) |
Values Matched | "EventID":1150 and "EventID":1151 |
Use Case: Return events with an Event ID that is either 1150 or 1151, and with ThreatID 9092 | |
Regex String | (?:\"EventID\"\:\s*)(?:1150|1151).*(?:\"ThreadID\"\:\s*9092) |
Values Matched | "EventID":1150 <...any number of characters...> "ThreadID":9092
and "EventID":1151 <...any number of characters...glt; "ThreadID":9092 |
Find account management events
These regular expression query strings identify common account management events using the EventID attribute.
Type of Event | Regular Expression |
User Account Created | EventID\"\:\s*4720 |
User Account Enabled | EventID\"\:\s*4722 |
User Account Disabled | EventID\"\:\s*4725 |
User Account Deleted | EventID\"\:\s*4726 |
User Rights Modification | EventID\"\:\s*4703 |
Member Added to Security Enabled Global Group | EventID\"\:\s*4728 |
Member Removed from Security Enabled Global Group | EventID\"\:\s*4729 |
Security Enabled Global Group was Deleted | EventID\"\:\s*4730 |
Find logon success events
These regular expression query strings identify types of successful logon events using the EventID and LogonType attributes.
Type of Event | Regular Expression |
Logon Success | EventID\"\:\s*4624 |
Logon Success - Interactive (LogonType=2) | EventID\"\:\s*4624.*?LogonType\"\:\s*\"2\" |
Logon Success - Batch Login (LogonType=4) | EventID\"\:\s*4624.*?LogonType\"\:\s*\"4\" |
Logon Success - Service Login (LogonType=5) | EventID\"\:\s*4624.*?LogonType\"\:\s*\"5\" |
Logon Success - RemoteInteractive Login (LogonType=10) | EventID\"\:\s*4624.*?LogonType\"\:\s*\"10\" |
Logon Success - Interactive, Batch, Service, or RemoteInteractive | (?:EventID\"\:\s*4624.*?LogonType\"\:\s*\")(?:2|4|5|10)\" |
Find logon failure events
These regular expression query strings identify types of failed logon events using the EventID and LogonType attributes.
Type of Event | Regular Expression |
Logon Failure | EventID\"\:\s*4625 |
Logon Failure - Interactive (LogonType=2) | EventID\"\:\s*4625.*?LogonType\"\:\s*\"2\" |
Logon Failure - Batch Login (LogonType=4) | EventID\"\:\s*4625.*?LogonType\"\:\s*\"4\" |
Logon Failure - Service Login (LogonType=5) | EventID\"\:\s*4625.*?LogonType\"\:\s*\"5\" |
Logon Failure - RemoteInteractive Login (LogonType=10) | EventID\"\:\s*4625.*?LogonType\"\:\s*\"10\" |
Logon Failure - Interactive, Batch, Service, or RemoteInteractive | (?:EventID\"\:\s*4625.*LogonType\"\:\s*\")(?:2|4|5|10)\" |
Find process, service and task events
These regular expression query strings identify certain process and service events using the EventID attribute.
Type of Event | Regular Expression |
Process Start | EventID\"\:\s*4688 |
Process Exit | EventID\"\:\s*4689 |
Service Installed | EventID\"\:\s*4697 |
New Service Created | EventID\"\:\s*7045 |
Schedule Task Created | EventID\"\:\s*4698 |
Find events related to object access
These regular expression query strings identify different types of process and service related events using the EventID attribute.
Type of Event | Regular Expression |
Audit Log Cleared | EventID\"\:\s*1102 |
Object Access Attempted | EventID\"\:\s*4663 |
Share Accessed | EventID\"\:\s*5140 |