Investigate detections in Search

Supported in:

This guide is for security analysts who want to query, filter, and analyze detections within Google Security Operations Search. This capability lets you search across all alerting and non-alerting detections using any detection attribute and get a holistic workflow for threat investigation.

Common use cases

This section lists some common use cases.

Entity-based threat hunting

Objective: Identify all detections triggered by a specific entity (for example, a principal IP address or hostname) across different rules over a set period.

Value: Lets you identify compromised entities that are consistently generating alerts across the environment. Instead of manually checking individual rules, you can perform a single search to see the full scope of an entity's suspicious activity.

Granular attribute analysis

Objective: Search for detections based on specific fields, such as particular network connection types or log sources, rather than just rule names.

Value: Enables targeted searching within the detection fields. Since multiple rules might trigger on similar network behaviors, searching by the specific attribute helps you isolate related security findings that would otherwise be buried across disparate rule sets.

Incident scope identification

Objective: Quantify how many times a specific event has resulted in a detection or alert within the last month.

Value: Provides visibility into the frequency and severity of specific threats. This helps you determine the complete scenario of an attack and decide whether a detection is a persistent threat or an isolated incident.

Key terminology

  • Search: The core search functionality in Google SecOps used to analyze security telemetry.

  • Detections: Security findings generated by the system based on rules applied to raw logs and UDM events.

Before you begin

You must have the standard SecOps Search permissions and roles assigned to your user account to execute queries and view detection details.

Execute a search on detections

  1. Log in to Google SecOps.

  2. Click Investigation > Search.

  3. In the Search field, enter your search query. The detections matching the search query are displayed.

    You can analyse the search results using the following features:

    • Detections table: Displays a detailed view of all associated events for a selected detection to facilitate thorough investigation.

    • Aggregations panel: Provides a summary view of query results by grouping field values, allowing you to identify data distributions and patterns.

    • Column manager: Customizes the data table interface by letting you select specific fields for display.

    • CSV download: Exports the current result set into a comma-separated values (CSV) file for external use.

    • Pagination: Divides large result sets into manageable chunks to optimize rendering and navigation without overwhelming the display.

Sample search queries

This section lists sample queries to search on detections.

  • Find all detections from a specific rule:

      detection.detection.rule_name = ""

  • Find all alerting detections:

      detection.detection.alert_state = "ALERTING"

  • Find all GCTI detections with medium severity:

    
  detection.type = "GCTI_FINDING" AND detection.detection.severity = "MEDIUM"

  • Find all detections that originated from or are related to a SOAR alert:

    
  detection.id_namespace = "SOAR_ALERT"

  • Find all detections created after a specific time (nanosecond precision) with feedback priority set to critical:

    
  detection.created_time.nanos > 621828000 AND detection.feedback_summary.priority = "PRIORITY_CRITICAL"

  • Find all detections where the investigation reason is marked as malicious:

    
  detection.investigation.reason = "REASON_MALICIOUS"

  • Basic detection search:

    
  detection.detection.rule_name != ""

  detection.detection.rule_type = "SINGLE_EVENT"

  detection.detection.rule_name = /.+/

  • Export to datatable:

    
  detection.detection.rule_name = /.+/

  outcome:
    $x = detection.id
  export:
  %new_detection_table.write_row(
    testing: $x
  )

  • Statistical query (search on aggregated results):

    
  detection.detection.rule_name != ""
  match:
  detection.detection.rule_name
  outcome:
  $detection_count = count(detection.id)
  order:
  $detection_count desc

Enable programmatic API

The programmatic API for searching detections follows the same structure and workflow used for standard search operations. See Asynchronous Search APIs for more information.

Sample query:


  google.cloud.chronicle.v1main.SearchRequest {
    parent: "projects/202560381606/locations/us/instances/ebdc4bb9-878b-11e7-8455-10604b7cb5c1"
    query: "detection.id != \"\""
    time_range: {
      start_time: {
        seconds: 1776338958
      }
      end_time: {
        seconds: 1776417358
      }
    }
    dialect: YL2
    result_limit: 3
  }

When specifying fields from the Collection data for sorting, prefix the field name with detection. For example, use detection.id instead of collection.id.

Sample query:


  google.cloud.chronicle.v1main.ListSearchedResultsRequest {
    parent: "projects/202560381606/locations/us/instances/ebdc4bb9-878b-11e7-8455-10604b7cb5c1/searchSessions/s-lro-981b7e6b-4031-4e69-98f6-91029685786c"
    order_by: "detection.id"
  }

Latency and limits

  • The system supports a maximum of 100,000 results for a standard search on detections, and a maximum of 10,000 results for a stats search.

  • The maximum time range supported for a query is one year.

  • Joins involving detection fields are not supported.

  • Detection search is subject to the standard search limits and quotas.

  • The detections table displays only the events and entities related to a detection.

Known issues

Case names are not visible in the results table when searching for detections. While you can view a case name by clicking a specific row to open the Alert Viewer, you can't query detections directly by case name. For example, the following query returns empty results:


  detection.case_name != ""

Troubleshooting

Review these limitations and quotas to troubleshoot platform behavior.

Error remediation

Use this table to map specific issues to actionable fixes.

Issue Description Fix
Exceeded result limit The query returns more than 100,000 results (or 10,000 for statistical queries). Refine your search query with filters or reduce the time range to narrow down the dataset.
Exceeded time range The search spans more than 365 days. Adjust the start and end times in the search parameters to span one year or less.
API sorting error Sorting fails when using collection proto fields. Ensure the sorting fields are prefixed with detection. instead of collection..

Validation and testing

To determine if detections search is enabled, check if the Run search button stays disabled after entering a query. If it does, contact Support.

Need more help? Get answers from Community members and Google SecOps professionals.Updated. FYI, this section is a part of the new journey-based doc template that we follow.