Query raw logs from EDR like KQL/SPL
L
Lucas Silva
I am accustomed to using platforms like MDE, CrowdStrike, and Splunk, where I can query raw logs using languages like KQL or SPL. It would be beneficial if your platform could offer a similar feature to query raw logs directly, allowing for more detailed analysis and insights.
R
Roger Rickard
There is currently no way to even text search the "RawData" that is available for each log upon inspection, as the data is not parsed into any searchable ECS field like winlog.event_data unless it has named tags.