You can display and download large numbers of the events associated with each threat detection. This lets you search across a broad set of the data stored in your Google Security Operations account to hunt for security issues.
Display and download events
Complete the following steps to display and download the events associated with a detection:
In the navigation bar, click Detection > Rules & Detections.
Click the Rules Dashboard tab.
Rules Dashboard
Click a rule to open the Rule Detections view.
Select a Detection from the Detections list and expand the sample events
list by clicking the arrow next to the list.
Each event variable in a rule can display up to 10 sample events.
For example, a rule with two event variables ($e1, $e2) can show up to 20
samples in total. Any samples beyond this limit are hidden on the
Detections page., but they're included if you click Download All to view
Unified Data Model (UDM) events associated with your detection.
The Download as CSV option appears if event samples were omitted from your
detection. A maximum of 100,000 events can be downloaded.
The event samples are sorted by event timestamp in the UI. Google does not
guarantee any sorting of event samples when reading detections from
Chronicle APIs.
Optional: Click
view_column Columns to add more fields to the sample events list.
These fields are also included in the downloaded CSV.
Click the Download as CSV link. The event samples are downloaded as a CSV file which you can then open in most spreadsheet applications.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-20 UTC."],[[["\u003cp\u003eYou can download large numbers of events associated with threat detections in Google Security Operations to search for security issues.\u003c/p\u003e\n"],["\u003cp\u003eThe "Download as CSV" option is available for multi-event rules, but not for detections from Test Rules.\u003c/p\u003e\n"],["\u003cp\u003eUp to 10 event samples per event variable are displayed, and a maximum of 100,000 events can be downloaded in total.\u003c/p\u003e\n"],["\u003cp\u003eAdditional columns of information can be added to the sample event list and will be included in the downloaded CSV file.\u003c/p\u003e\n"],["\u003cp\u003eThe downloaded CSV file is dynamically generated with the most recent event samples, which might differ from the user interface display.\u003c/p\u003e\n"]]],[],null,[]]