SIEM Feature Request - Query Custom HEC RAW data as string
S
Shaun Miller
Currently, there’s no way to query Custom HEC RAW data directly. Only limited temporal metadata is indexed, leaving the full raw payload stored but not actionable. Since the SIEM is already retaining this data, it feels like a missed opportunity not to make it more useful.
A highly valuable enhancement would be enabling raw-text querying, ideally with regex support, so users can search the complete payload as a string.
A more advanced option could be providing a user-configurable indexer, allowing users to define which event_metadata JSON fields should be parsed and indexed.
Example Use Case
A user ingests sanitized POST request logs into a custom HEC source.
The raw data is stored, but cannot currently be queried or parsed as text.
The user wants to search these logs for potentially malicious keywords or patterns such as:
sql | admin | php | view | � | ftp | sftp | ssh | root | cmd | shell
With the ability to query raw payloads—and optionally save and schedule these searches—the platform becomes a powerful, user-friendly tool for proactive threat hunting, while letting users tailor the logs and signals that matter most to them.
J
J.R. Garcia
The raw log is available to query in ES|QL via event.original. We'll make some changes to make this a bit more apparent, but you can query event.original right now. You could do something like FROM logs | WHERE CONTAINS(event.original, "sql").
B
Bryce Skelton
This would be very powerful to have. I'm personally trying to build out reporting as well as tune some of our other security tools (such as spam filter) and I am kind of cutoff at the knees to be able to see if something was properly categorized and improperly delivered because I can't do some of these queries. I understand the initial start of this component wasn't for this advanced use, but it would be a powerful tool to leverage and get better adoption.