Currently, there’s no way to query Custom HEC RAW data directly. Only limited temporal metadata is indexed, leaving the full raw payload stored but not actionable. Since the SIEM is already retaining this data, it feels like a missed opportunity not to make it more useful.

A highly valuable enhancement would be enabling raw-text querying, ideally with regex support, so users can search the complete payload as a string.

A more advanced option could be providing a user-configurable indexer, allowing users to define which event_metadata JSON fields should be parsed and indexed.

Example Use Case

A user ingests sanitized POST request logs into a custom HEC source.

The raw data is stored, but cannot currently be queried or parsed as text.

The user wants to search these logs for potentially malicious keywords or patterns such as:

sql | admin | php | view | � | ftp | sftp | ssh | root | cmd | shell

With the ability to query raw payloads—and optionally save and schedule these searches—the platform becomes a powerful, user-friendly tool for proactive threat hunting, while letting users tailor the logs and signals that matter most to them.