Raw Log Scan enables you to examine your raw unparsed logs. When you execute a search, Chronicle first examines the security data that has been both ingested and parsed. If the information you are searching for is not found, you can use Raw Log Scan to examine your raw unparsed logs. You can also use regular expressions to more closely examine the raw logs.
Use Raw Log Scan to investigate artifacts that appear in logs but are not indexed, including:
- Registry keys
- Command line arguments
- Raw HTTP request-related data
- Domain names based on regular expressions
- Asset names and addresses
To use Raw Log Scan in Chronicle, complete the following steps:
Enter a search string in the search bar on either the landing page or the menu bar at the top of the Chronicle user interface. Click SEARCH.
Search for text value from the landing page
Select Raw Log Scan from the dropdown menu.
Chronicle search autodetect menu
Chronicle opens the Raw Log Scan options.
Raw Log Scan search options menu
Specify the Start Time and End Time (the default is 1 week) and click SEARCH.
Raw Log Scan view is displayed, as shown below.
Raw Log Scan view
You can use regular expressions to search for and match sets of character strings within your security data using Chronicle. Regular expressions enable you to narrow your search down using fragments of information, as opposed to using a complete domain name, for example.
The following Procedural Filtering options are available in the Raw Log Scan view:
- EVENT TYPE
- LOG SOURCE
- NETWORK CONNECTION STATUS
Raw Log Scan view filtering options