This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

Finding Unparsed events

Posted on 12-18-2024 01:08 AM
srijankafle
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Hi,

What is the best way to field unparsed events ingested in SecOps SIEM without it being a pain. I have so far been searching for raw log with regex and using Procedural Filtering for individual log source until I collect few hundreds and then try to work on parser extension. This has been painful and a lot of manual task and chances of missing unparsed event is high for us (considering the volume of data we ingest and search result capping the returned events to x result (10,000 default)

 

srijankafle_1-1734512793274.png

I believe there should be a way for searching for just unparsed logs so that we have better visibility of what we are missing out on. 

0 3 365
Topic Labels
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
deeshu
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

You can now run raw searches through udm search page. 

deeshu_0-1734608834508.png

 

0 Likes

Posted on --/--/---- --:-- AM
chrisproudley
Staff
Reply posted on --/--/---- --:-- AM

Hello @srijankaflethe raw scan is your best approach. A few pointers that might help narrow things down a little:

  • .* is a nice broad wildcard to leverage
  • A dropdown of log sources (types) can be selected to narrow the search to a specific type of data, e.g.

chrisproudley_0-1734626706356.png

  • A time boundary is always applied to raw search, could this be narrowed further from whatever you're using?

If the above doesn't get you further ahead, you might find some more answers here: https://cloud.google.com/chronicle/docs/investigation/search-raw-log or feel free to follow up here with further questions.

0 Likes

Posted on --/--/---- --:-- AM
srijankafle
Bronze 4
Bronze 4
In response to chrisproudley
Reply posted on --/--/---- --:-- AM

Hi @chrisproudley ,

We are currently using the same method. However in an MSSP environment where there are thousands of events ingested every few seconds, finding the unparsed log is like searching for a needle in a haystack.

We have reached where a point where we have to reduce the timeframe to only include few minutes of logs (as the maximum result is capped) and identify unparsed logs and repeat this until we assume there are no other logs missing.
We are searching for a way to search just for unparsed log. As a engineer this is a very crucial part of the task that we would need and I do not see this being discussed anywhere else.

Top Solution Authors
View all