Filtering data in Raw Log Scan view

Raw Log Scan enables you to examine your raw unparsed logs. When you execute a search, Chronicle first examines the security data that has been both ingested and parsed. If the information you are searching for is not found, you can use Raw Log Scan to examine your raw unparsed logs. You can also use regular expressions to more closely examine the raw logs.

Use Raw Log Scan to investigate artifacts that appear in logs but are not indexed, including:

  • Usernames
  • Filenames
  • Registry keys
  • Command line arguments
  • Raw HTTP request-related data
  • Domain names based on regular expressions
  • Asset names and addresses

To use Raw Log Scan in Chronicle, complete the following steps:

  1. Enter a search string in the search bar on either the landing page or the menu bar at the top of the Chronicle user interface. Click SEARCH.

    image Search for text value from the landing page

  2. Select Raw Log Scan from the dropdown menu.

    image Chronicle search autodetect menu

  3. Chronicle opens the Raw Log Scan options.

    image Raw Log Scan search options menu

  4. Specify the Start Time and End Time (the default is 1 week) and click SEARCH.

  5. Raw Log Scan view is displayed, as shown below.

    image Raw Log Scan view

    You can use regular expressions to search for and match sets of character strings within your security data using Chronicle. Regular expressions enable you to narrow your search down using fragments of information, as opposed to using a complete domain name, for example.

    The following Procedural Filtering options are available in the Raw Log Scan view:

    • EVENT TYPE
    • LOG SOURCE
    • NETWORK CONNECTION STATUS
    • TLD

    image Raw Log Scan view filtering options