Filter data in Raw Log Scan view

Raw Log Scan lets you examine your raw unparsed logs. When you execute a search, Google Security Operations first examines the security data that has been both ingested and parsed. If the information you are searching for is not found, you can use Raw Log Scan to examine your raw unparsed logs. You can also use regular expressions to more closely examine the raw logs.

Use Raw Log Scan to investigate artifacts that appear in logs but are not indexed, including:

• Usernames
• Filenames
• Registry keys
• Command line arguments
• Raw HTTP request-related data
• Domain names based on regular expressions
• Asset names and addresses

To use Raw Log Scan in Google Security Operations, complete the following steps:

1. Enter a search string in the search bar on either the landing page or the menu bar at the top of the Google Security Operations user interface. Click SEARCH.

2. Select Raw Log Scan from the menu. Google Security Operations opens the Raw Log Scan options.

3. Specify the Start Time and End Time (the default is 1 week) and click SEARCH.

   In the Raw Log Search view, the filters are based on a limited set of events such as DNS, Webproxy, EDR, and Alert. The filters don't include information about other event types such as GENERIC, EMAIL, and USER. Raw Log Scan view is displayed.

   You can use regular expressions to search for and match sets of character strings within your security data using Google Security Operations. Regular expressions let you narrow your search down using fragments of information, as opposed to using a complete domain name, for example.

   The following Procedural Filtering options are available in the Raw Log Scan view:

   • EVENT TYPE
   • LOG SOURCE
   • NETWORK CONNECTION STATUS
   • TLD