Hello,
I am looking at the following preview documentation:
https://cloud.google.com/chronicle/docs/preview/search/raw-log-search-in-investigate
Using UDM Search, one can only search for UDM events and not UDM entities. The documentation says:
>After you complete a raw log search, each matching raw log line is replaced with the events and entities contained in the log line.
What does that mean? And is raw log search and UDM entity search the same?
Thank you!
While using raw log search to search across the raw log message, you may surface events that have been UDM normalized and contain entity data. So while raw log search may surface entities as part of its results, it doesn't specifically target entities.
I generally think a picture helps describe things. Essentially, you search for something/anything raw=/.*/
This is what your results will look like without looking for more context. Basically, you get a timestamp, and the metadata.event_type, a summary (these appear to be mainly target noun values, ie registry, file full path, hostname etc.) and then an entity list.
There are subtabs in the event viewer with that same entity list as well as UDM fields and Raw Log data.
The intent here is to have a single search interface so you don't have to go elsewhere to execute a raw event search from a UDM search.
In this case, raw=/wrk-pacman/ log_source in ["Windows Sysmon"] is going to return the same results as hostname = /wrk-pacman/ NOCASE AND metadata.product_name = "Microsoft-Windows-Sysmon" but they are very different searches as the first one is looking for the string wrk-pacman anywhere within log whereas the latter search is looking in many hostname fields but ONLY hostname fields.
Thank you so much. Just a quick followup.
What do you mean by the following: the latter search is looking in many hostname fields but ONLY hostname fields.
Ah yes, re-reading that I can see the ambiguity. Raw log search is looking for direct string or regex matches and does not care where in the raw log it finds it.
In UDM, the search is constrained to the field or fields that are in the query expression. So in a UDM search if you specify
principal.hostname = "host123" the only place it will search is in principal.hostname. Because there are times when we want to search multiple hostname fields without having to write a search like
principal.hostname = "host123" or target.hostname = "host123" or src.hostname = "host123" or intermediary.hostname = "host123" or observer.hostname = "host123"we can instead use the grouped field capability and just search
hostname = "host123"which does that heavy lifting for us.
The tradeoff with UDM v raw search are things like speed of search, knowing the data is parsed into a consistent place for all data sets and being able to apply AI constructs to search.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.