Conduct a raw log search

Supported in:

This document explains how you can use Google Security Operations to search the raw logs ingested into your Google SecOps tenant and get relevant context, including associated events and entities.

Raw log searches correlate raw events with their generated UDM events. A raw log search helps you to identify normalization gaps and identify unparsed logs that aren't being processed by the parsers.

To perform a raw log search, follow these steps:

  1. Go to Investigation > SIEM Search.

  2. In the search field, add the prefix raw = to your search and enclose your search term in quotation marks (for example, raw = "example.com").

  3. Select the raw log search from the menu option. Google SecOps finds the associated raw logs, UDM events, and associated entities. You can also run the same search (raw = "example.com") from the UDM Search page.

You can use the same quick filters used to refine UDM search results. Select the filter you want to apply to the raw log results to refine them further.

Optimize raw log queries

Raw log searches are typically slower than UDM searches. To improve your search performance, limit the amount of data you conduct your query over by changing the search settings:

  • Time range selector: Limits the time range of the data over which you run your query.
  • Log Source selector: Limits your raw log search to only the logs from specific sources, as opposed to all of your log sources. From the Log sources menu, select one or more log sources (the default is all).
  • Regular expressions: Use a regular expression. For example, raw = /goo\w{3}.com/ would match against google.com, goodle.com, goog1e.com to further limit the scope of your raw log search.

Trend over time

Use the trend graph to understand the distribution of raw logs over the time of your search. You can apply filters on the graph to look for parsed logs and raw logs. Click Arrow drop down to collapse or expand the graph.

Raw log results

When you run a raw log search, the results are a combination of UDM events and entities generated by the raw logs that match your searches, along with the raw logs. You can explore the search results further by clicking any of the results:

  • UDM event or entity: If you click a UDM event or entity, Google SecOps shows any related events and entities, along with the raw log associated with that item.

  • Raw log: If you click a raw log, Google SecOps shows you the entire raw log line, along with the source for that log.

Download raw log results

To download raw log results to a CSV file, on the Raw log results table, click Menu > Download as CSV.

By default, the data in the Timestamp, Event Type, and Raw Log columns is saved. You can use the Column manager to select which columns to download. The Raw Log column is always included.

Need more help? Get answers from Community members and Google SecOps professionals.