Raw Log Search lets you examine your raw unparsed logs. When you execute a
search, Google Security Operations first examines the security data that has been both ingested
and parsed. If the information you are searching for is not found, you can use
Raw Log Search to examine your raw unparsed logs.
Use Raw Log Search to investigate artifacts that appear in logs but are not
indexed, including:
Usernames
Filenames
Registry keys
Command line arguments
Raw HTTP request-related data
Domain names based on regular expressions
Asset names and addresses
To use Raw Log Search in Google SecOps, do the following:
In the search bar, enter your search string or regular expressions, and then
click Search.
In the menu, select Raw Log Search to display the search options.
Specify the Start Time and End Time (the default is 1 week) and click
Search.
The Raw Log Search view displays raw data events. You can filter results
by DNS, Webproxy, EDR, and Alert.
You can use regular expressions to search for and match sets of character
strings within your security data using Google SecOps. Regular
expressions let you narrow your search down using fragments of information, as
opposed to using a complete domain name, for example.
The following Procedural Filtering options are available in the Raw Log Search view:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-05-20 UTC."],[[["Raw Log Scan allows users to examine unparsed logs within Google Security Operations when the information is not found in the parsed data."],["Users can search for artifacts like usernames, filenames, registry keys, and more within logs, even if the information is not indexed."],["Regular expressions can be used in Raw Log Scan to search and match character strings within security data, narrowing searches to information fragments."],["The Raw Log Scan view includes filters based on events such as DNS, Webproxy, EDR, and Alert, but not GENERIC, EMAIL, or USER event types."],["To search on Raw Log Scan you must specify the start and end time, and then the scan will begin."]]],[]]
