Do you mean logs that failed parsing?



You can do that with cbn_cli, e.g.


cbn_cli.py --region EUROPE error -l WORKSPACE_ACTIVITY -sd 2023-08-01T00:00:00Z -ed 2023-08-16T07:50:00Z

I use the dashboard to see which log sources have failed logs. I dont know if theres an api call that allows you to see which log sources have recent fails.

Yes
@ion_
I ingested the unsupported logs via windows parser. I was able to view it the SIEM. Since I know the log, I queried it using the values from the raw log.

Event Type is getting tagged as Unparsed Log but I trying to find the UDM field to filter these logs.



View files in slack

Unfortunately, I don't have access to the CBN_CLI

Okay, so im assuming you’re looking at raw log search here?



Try to search for the following in UDM:


metadata.log_type="WINEVTLOG"
If this returns nothing then
all
of your logs aren’t parsing correctly





Note: “WINDOWS” needs to map to the log label you’re using.



View files in slack

If you can safely redact a sample raw log enough to send it to me, I can run it against the default Windows Event parser and tell you what the issue is.





You’re going to run into issues if you can’t use cbn_cli though, if its possible to gain access I would recommend it

What you said it correct.

I will DM you