Generate UDM search queries with Gemini

Supported in:

You can use Gemini to generate UDM search queries from the Gemini pane or when using UDM search.

For best results, Google recommends using the Gemini pane to generate search queries.

Generate a UDM search query using the Gemini pane

  1. Sign into Google SecOps and open the Gemini pane by clicking the Gemini logo.

  2. Enter a natural language prompt and press Enter. The natural language prompt must be in English.

    Open Gemini pane and enter prompt

    Figure 1: Open Gemini pane and enter prompt

  3. Review the generated UDM search query. If the generated search query meets your requirements, click Run search.

  4. Gemini produces a results summary along with suggested actions.

  5. by Gemini to continue your investigation.

Example search prompts and follow-up questions

  • Show me all failed logins for the last 3 days
    • Generate a rule to help detect that behavior in the future
  • Show me events associated with the principle user izumi.n
    • Who is this user?
  • Search for all of the events associated with the IP 198.51.100.121 in the last 3 hours
    • List all of the domains in the results set
    • What types of events were returned?
  • Show me events from my firewall in the last 24 hours
    • What were the 16 unique hostnames in the results set?
    • What were the 9 unique IPs associated with the results set?

Generate a UDM search query using natural language

Using the Google SecOps UDM Search feature, you can enter a natural language query about your data and Gemini can translate this into a UDM search query which you can run against UDM events.

For better results, Google recommends using the Gemini pane to generate search queries.

To use a natural language search to create a UDM search query, complete the following steps:

  1. Sign in to Google SecOps.
  2. Navigate to SIEM Search.

  3. Enter a search statement in the natural language query bar and click Generate Query. You must use English for the search.

    Enter a natural language search and click Generate Query

    Figure 2: Enter a natural language search and click Generate Query

    The following are some examples of statements that might generate a useful UDM search:

    • network connections from 10.5.4.3 to google.com
    • failed user logins over the last 3 days
    • emails with file attachments sent to john@example.com or jane@example.com
    • all Cloud service accounts created yesterday
    • outbound network traffic from 10.16.16.16 or 10.17.17.17
    • all network connections to facebook.com or tiktok.com
    • service accounts created in Google Cloud yesterday
    • Windows executables modified between 8 AM and 1 PM on May 1, 2023
    • all activity from winword.exe on lab-pc
    • scheduled tasks created or modified on exchange01 during the last week
    • email messages that contain PDF attachments
    • emails sent by or sent from admin@acme.com on September 1
    • any files with the hash 44d88612fea8a8f36de82e1278abb02f
    • all activity associated with user "sam@acme.com"

    4. If the search statement includes a time-based term, the time picker is automatically adjusted to match. For example, this would apply to the following searches:

    • yesterday
    • within the last 5 days
    • on Jan 1, 2023

    If the search statement cannot be interpreted, you will see the following message:
    "Sorry, no valid query could be generated. Try asking a different way."

  4. Review the generated UDM search query.

  5. (Optional) Adjust the search time range.

  6. Click Run Search.

  7. Review the search results to determine if the event is present. If needed, use search filters to narrow the list of results.

  8. Provide feedback about the query using the Generated Query feedback icons. Select one of the following:

    • If the query returns the expected results, click the thumbs up icon.
    • If the query does not return the expected results, click the thumbs down icon.
    • (Optional) Include additional detail in the Feedback field.
    • To submit a revised UDM search query that helps improve results:
    • Edit the UDM search query that was generated.
    • Click Submit. If you did not rewrite the query, text in the dialog prompts you to edit the query.
    • Click Submit. The revised UDM search query will be sanitized of sensitive data and used to improve results.

Delete a chat session

You can delete your chat conversation session or delete all chat sessions. Gemini maintains all user conversation histories privately and adheres to Google Cloud's responsible AI practices. User history is never used to train models.

  1. In the Gemini pane, select Delete chat from the menu at the top right.
  2. Click Delete chat at the bottom right to delete the current chat session.
  3. (Optional) To delete all chat sessions, select Delete all chat sessions and then click Delete all chats.

Provide feedback

You can provide feedback to responses generated by the Gemini AI investigation assistance. Your feedback helps Google improve the feature and the output generated by Gemini.

  1. In the Gemini pane, select the thumbs up or thumbs down icon.
  2. (Optional) If you select thumbs down, you can add additional feedback about why you chose the rating.
  3. Click Send feedback.