As you may know, Google SecOps lets you search raw logs using the `raw = "value"` syntax.
That is useful during investigation, especially when a value exists in the original log but was not normalized into UDM. Raw Log Search can help you find artifacts, validate parser gaps, or confirm whether a value exists in the ingested raw event.
However, this is not the same as being able to use the raw log directly inside a detection rule.
In YARA-L rules, you normally operate on UDM fields. That means you cannot simply write a rule that searches the raw log the same way you would use `raw = "value"` in investigation search. You also cannot directly add the raw log as an outcome unless that value exists in a field the rule can reference.
That creates a practical gap:
- you may need to filter on a string that exists only in the raw log
- you may need to exclude a known marker that was not parsed
- you may need to pass a raw fragment into an outcome
- you may need SOAR to receive context that UDM does not currently expose
## Workaround
The workaround is to copy the needed raw value, or preferably a limited raw fragment, into a UDM-accessible field during parsing or before ingestion.
There are two practical ways to do this.
Option 1: Parser Extension
Use a parser extension for the relevant log type.
The parser extension can extract a value from the raw log and map it into a UDM destination field. Two possible destinations are:
- `metadata.ingestion_labels`
- `additional.fields`
For example, you can create a label such as:
```text
raw_detection_context
```
Conceptually, the resulting event would contain something like:
Then a rule can reference that field:
rule example_raw_context_match {
meta:
author = "gromero-sec"
description = "Example pattern for using raw detection context"
events:
$e.metadata.ingestion_labels["raw_detection_context"] = /suspicious_string/ nocase
condition:
$e
}
The same field can also be used as an outcome, assuming the event variable is already defined in the `events` section:
yaral
rule raw_context_to_outcome {
meta:
author = "gromero-sec"
description = "Expose raw context as an outcome"
events:
$e.metadata.product_name = "ExampleProduct"
$raw_context = $e.metadata.ingestion_labels["raw_detection_context"]
outcome:
$raw_log_context = $raw_context
condition:
$e
}
These examples are illustrative. Validate syntax in your own tenant and with your target log type.
Option 2: Preprocess Before Ingestion
If you control the ingestion pipeline, you can also add the value before the event reaches Google SecOps.
For example, with Bindplane you can:
1. receive the original log
2. use a processor to ingest it as a udm_field
I personally use the followin processor
This gives you more control, especially if you need to redact sensitive values or avoid copying the full raw log.
Important Caution
This should not be treated as a general pattern for every log.
Copying full raw logs into UDM-accessible fields can:
- duplicate data
- increase event size
- expose sensitive values
- create fragile regex-based rules
- hide a parser issue that should be fixed properly
My recommendation is to store only the fragment needed for the detection or downstream workflow, not the entire raw log, unless you have a very specific reason.
If the value can be properly parsed into a normal UDM field, that is still the better option.
This workaround is useful for narrow cases where the raw log contains operationally important context that is not yet available in UDM, but where waiting for a parser change is not practical.
## References
- Raw Log Search: https://docs.cloud.google.com/chronicle/docs/investigation/raw-log-search-in-investigate
- Parser Extensions: https://docs.cloud.google.com/chronicle/docs/event-processing/using-parser-extensions
- UDM Search: https://docs.cloud.google.com/chronicle/docs/investigation/udm-search
- YARA-L 2.0 Syntax: https://docs.cloud.google.com/chronicle/docs/detection/yara-l-2-0-syntax
- Outcome Syntax: https://docs.cloud.google.com/chronicle/docs/yara-l/outcome-syntax
