Raw Log Search lets you examine your raw unparsed logs. When you execute a
search, Google Security Operations first examines the security data that has been both ingested
and parsed. If the information you are searching for is not found, you can use
Raw Log Search to examine your raw unparsed logs.
Use Raw Log Search to investigate artifacts that appear in logs but are not
indexed, including:
Usernames
Filenames
Registry keys
Command line arguments
Raw HTTP request-related data
Domain names based on regular expressions
Asset names and addresses
To use Raw Log Search in Google SecOps, do the following:
In the search bar, enter your search string or regular expressions, and then
click Search.
In the menu, select Raw Log Search to display the search options.
Specify the Start Time and End Time (the default is 1 week) and click
Search.
The Raw Log Search view displays raw data events. You can filter results
by DNS, Webproxy, EDR, and Alert.
You can use regular expressions to search for and match sets of character
strings within your security data using Google SecOps. Regular
expressions let you narrow your search down using fragments of information, as
opposed to using a complete domain name, for example.
The following Procedural Filtering options are available in the Raw Log Search view:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eRaw Log Scan allows users to examine unparsed logs within Google Security Operations when the information is not found in the parsed data.\u003c/p\u003e\n"],["\u003cp\u003eUsers can search for artifacts like usernames, filenames, registry keys, and more within logs, even if the information is not indexed.\u003c/p\u003e\n"],["\u003cp\u003eRegular expressions can be used in Raw Log Scan to search and match character strings within security data, narrowing searches to information fragments.\u003c/p\u003e\n"],["\u003cp\u003eThe Raw Log Scan view includes filters based on events such as DNS, Webproxy, EDR, and Alert, but not GENERIC, EMAIL, or USER event types.\u003c/p\u003e\n"],["\u003cp\u003eTo search on Raw Log Scan you must specify the start and end time, and then the scan will begin.\u003c/p\u003e\n"]]],[],null,["# Filter data in Raw Log Search\n=============================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n\n**Raw Log Search** lets you examine your raw unparsed logs. When you execute a\nsearch, Google Security Operations first examines the security data that has been both ingested\nand parsed. If the information you are searching for is not found, you can use\n**Raw Log Search** to examine your raw unparsed logs.\n\nUse **Raw Log Search** to investigate artifacts that appear in logs but are not\nindexed, including:\n\n- Usernames\n- Filenames\n- Registry keys\n- Command line arguments\n- Raw HTTP request-related data\n- Domain names based on regular expressions\n- Asset names and addresses\n\nTo use **Raw Log Search** in Google SecOps, do the following:\n\n1. In the search bar, enter your search string or regular expressions, and then\n click **Search**.\n\n2. In the menu, select **Raw Log Search** to display the search options.\n\n3. Specify the **Start Time** and **End Time** (the default is 1 week) and click\n **Search**.\n\n The **Raw Log Search** view displays raw data events. You can filter results\n by `DNS`, `Webproxy`, `EDR`, and `Alert`.\n | **Note:** These filters don't apply to event types, such as `GENERIC`, `EMAIL`, and `USER`.\n\n You can use regular expressions to search for and match sets of character\n strings within your security data using Google SecOps. Regular\n expressions let you narrow your search down using fragments of information, as\n opposed to using a complete domain name, for example.\n\n The following **Procedural Filtering** options are available in the **Raw Log Search** view:\n - **Product Event Type**\n\n | **Note:** There are known inconsistencies between how events are displayed across views in the SecOps Console legacy **Raw Log Search** page: \n | ● **Raw Log** view: \n | Displays the **Event type** based on the raw `event_log_type` value. \n | For example `FILE_COPY`. \n | ● **UDM event fields** view: \n | Displays the `metadata.event_type` field based on the `event_log_type` value. \n | For example `FILE_COPY`. \n | ● **Procedural Filtering** view: \n | Displays the **Event type** field based on the `network.application_protocol` value. \n | For example `DNS`. \n - **Log Source**\n\n - **Network Connection Status**\n\n - **TLD**\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
