Use raw log search
When you perform a search, Google Security Operations first examines the security data that's been ingested, parsed, and normalized. If the information isn't found in the normalized data, you can use Raw log search to examine the raw, unparsed logs. You can also use regular expressions to examine the raw logs in more detail.
You can use Raw log search to investigate artifacts that appear in logs (but aren't indexed), including:
- Usernames
- Filenames
- Registry keys
- Command-line arguments
- Raw HTTP request-related data
- Domain names based on regular expressions
- Asset namespaces and addresses
Raw log search
You can perform a raw log search using the Search bar, located on the landing page or in the menu bar. Choose one of the following methods:
Use the raw= format
You can query raw logs by using the raw= format. This is the recommended method.
- To search for a substring, enclose the search term in quotes. For example,
raw = "ABC". - To search using a regular expression, enclose the expression in forward slashes (/).
For example,
raw = /AB*C/.
Legacy method: Use the Raw log search prompt
- In the Search bar, enter a search string with at least four characters (for example, an MD5 hash), including wildcards.
- If the search returns no results, the Raw log search option appears.
- Optional: Specify the Start time and End time. The default range is the last 7 days.
- Optional: In the Log sources list, select one or more log sources. The default setting is All.
- Click Search.
Events associated with the search string are displayed. Click Arrow to open the corresponding raw log.
Regular expressions
You can use regular expressions in Google SecOps to search for and match sets of character strings in your security data. Regular expressions help to narrow your search using fragments of information rather than requiring an exact match.
To run a search using regular expression syntax:
- In the Search field, enter a regular expression. Your regular expression must be 4 to 66 characters long.
- Select the Run query as regex checkbox and click Search.
The Google SecOps regular expression infrastructure is based on Google RE2, an open-source regular expression engine. Google SecOps uses the same regular expression syntax.
The following table highlights some of the common regular expression syntaxes you can use for your searches.
| Any character | . |
| x number of any characters | {x} |
| Character class | [xyz] |
| Negated character class | [^xyz] |
| Alphanumeric (0-9A-Za-z) | [[:alnum:]] |
| Alphabetic (A-Za-z) | [[:alpha:]] |
| Digits (0-9) | [[:digit:]] |
| Lower case (a-z) | [[:lower:]] |
| Upper case (A-Z) | [[:upper:]] |
| Word characters (0-9A-Za-z_) | [[:word:]] |
| Hex digit (0-9A-Fa-f) | [[:xdigit:]] |
| Question mark symbol (?) | Matches zero or one occurrence of the preceding element. |
| Asterisk (*) | Matches zero or more occurrences of the preceding character or group. |
| Plus sign (+) | Matches one or more occurrences of the preceding character or group. |
The following examples illustrate how you can use regular expressions to search data:
goo.le\.com—Matches any string that starts withgoo, followed by any single character, followed byle.com, such asgoogle.comorgoo0le.com.goo\w{3}\.com—Matches strings that start withgoo, followed by exactly three word characters (\w), and ending with.com. Examples includegoogle.com,goojle.com, orgoodle.com.[[:digit:]]\.[[:alpha:]]—matches a string that has a single digit, followed by a dot (.), followed by a single alphabetic character, such as34323.system,23458.office, or897.net.
Sample regular expressions to search for Windows logs
This section provides regular expression query strings you can use with Google SecOps Raw log search to find commonly monitored Windows events. These examples assume the Windows log messages are in JSON format.
For more information about commonly monitored Windows Event IDs, see Events to Monitor. The examples provided follow a similar pattern, described in these use cases.
| Use Case: Return events with the EventID 1150 | |
| Regular expression string: | \"EventID\"\:\s*1150 |
| Values Matched: | "EventID":1150 |
| Use Case:Return events with an Event ID that is either 1150 or 1151 | |
| Regular expression string | (?:\"EventID\"\:\s*)(?:1150|1151) |
| Values Matched | "EventID":1150 and "EventID":1151 |
| Use Case: Return events with an Event ID that is either 1150 or 1151, and with ThreadID 9092 | |
| Regular expression string | (?:\"EventID\"\:\s*)(?:1150|1151).*(?:\"ThreadID\"\:\s*9092) |
| Values Matched | "EventID":1150 <...any number of characters...> "ThreadID":9092
and "EventID":1151 <...any number of characters...> "ThreadID":9092 |
Find account management events
These regular expression query strings identify common account management events using the EventID attribute.
| Type of Event | Regular Expression |
| User Account Created | "EventID\"\:\s*4720 |
| User Account Enabled | "EventID\"\:\s*4722 |
| User Account Disabled | "EventID\"\:\s*4725 |
| User Account Deleted | "EventID\"\:\s*4726 |
| User Rights Modification | "EventID\"\:\s*4703 |
| Member Added to Security Enabled Global Group | "EventID\"\:\s*4728 |
| Member Removed from Security Enabled Global Group | "EventID\"\:\s*4729 |
| Security Enabled Global Group was Deleted | "EventID\"\:\s*4730 |
Find logon success events
These regular expression query strings identify types of successful logon events using the EventID and LogonType attributes.
| Type of Event | Regular Expression |
| Logon Success | "EventID\"\:\s*4624 |
| Logon Success - Interactive (LogonType=2) | "EventID\"\:\s*4624.*?LogonType\"\:\s*\"2\" |
| Logon Success - Batch Login (LogonType=4) | "EventID\"\:\s*4624.*?LogonType\"\:\s*\"4\" |
| Logon Success - Service Login (LogonType=5) | "EventID\"\:\s*4624.*?LogonType\"\:\s*\"5\" |
| Logon Success - RemoteInteractive Login (LogonType=10) | "EventID\"\:\s*4624.*?LogonType\"\:\s*\"10\" |
| Logon Success - Interactive, Batch, Service, or RemoteInteractive | (?:"EventID\"\:\s*4624.*?LogonType\"\:\s*\")(?:2|4|5|10)\" |
Find logon failure events
These regular expression query strings identify types of failed logon events using the EventID and LogonType attributes.
| Type of Event | Regular Expression |
| Logon Failure | "EventID\"\:\s*4625 |
| Logon Failure - Interactive (LogonType=2) | "EventID\"\:\s*4625.*?LogonType\"\:\s*\"2\" |
| Logon Failure - Batch Login (LogonType=4) | "EventID\"\:\s*4625.*?LogonType\"\:\s*\"4\" |
| Logon Failure - Service Login (LogonType=5) | "EventID\"\:\s*4625.*?LogonType\"\:\s*\"5\" |
| Logon Failure - RemoteInteractive Login (LogonType=10) | "EventID\"\:\s*4625.*?LogonType\"\:\s*\"10\" |
| Logon Failure - Interactive, Batch, Service, or RemoteInteractive | (?:"EventID\"\:\s*4625.*LogonType\"\:\s*\")(?:2|4|5|10)\" |
Find process, service and task events
These regular expression query strings identify certain process and service events using the EventID attribute.
| Type of Event | Regular Expression |
| Process Start | "EventID\"\:\s*4688 |
| Process Exit | "EventID\"\:\s*4689 |
| Service Installed | "EventID\"\:\s*4697 |
| New Service Created | "EventID\"\:\s*7045 |
| Schedule Task Created | "EventID\"\:\s*4698 |
Find events related to object access
These regular expression query strings identify different types of process and service related events using the EventID attribute.
| Type of Event | Regular Expression |
| Audit Log Cleared | "EventID\"\:\s*1102 |
| Object Access Attempted | "EventID\"\:\s*4663 |
| Share Accessed | "EventID\"\:\s*5140 |
Need more help? Get answers from Community members and Google SecOps professionals.