Enter a natural language prompt and press Enter. The natural language
prompt must be in English.
Figure 1. Open Gemini pane and enter prompt.
Review the generated search query. The search query uses YARA-L 2.0 syntax.
If the generated search query meets your requirements, click Run search.
Gemini produces a results summary along with suggested actions.
Example search prompts and follow-up questions
Show me all failed logins for the last 3 days
Generate a rule to help detect that behavior in the future
Show me events associated with the principle user izumi.n
Who is this user?
Search for all of the events associated with the IP 198.51.100.121 in the
last 3 hours
List all of the domains in the results set
What types of events were returned?
Show me events from my firewall in the last 24 hours
What were the 16 unique hostnames in the results set?
What were the 9 unique IPs associated with the results set?
Generate a search query using natural language
Using the Google SecOps search feature, you can enter a natural
language query about your data, and Gemini can translate this into a
search query to run against UDM events.
To use a natural language search to create a search query, complete the
following steps:
Sign in to Google SecOps.
Go to Investigation > SIEM Search.
Enter a search statement in the natural language query bar and click
Generate Query. You must use English for the search.
Figure 2. Enter a natural language search and click Generate Query.
The following statements are examples that might generate a useful search:
network connections from 10.5.4.3 to google.com
failed user logins over the last 3 days
emails with file attachments sent to john@example.com or jane@example.com
all Cloud service accounts created yesterday
outbound network traffic from 10.16.16.16 or 10.17.17.17
all network connections to facebook.com or tiktok.com
service accounts created in Google Cloud yesterday
Windows executables modified between 8 AM and 1 PM on May 1, 2023
all activity from winword.exe on lab-pc
scheduled tasks created or modified on exchange01 during the last week
email messages that contain PDF attachments
emails sent by or sent from admin@acme.com on September 1
any files with the hash 44d88612fea8a8f36de82e1278abb02f
all activity associated with user "sam@acme.com"
If the search statement includes a time-based term, the time picker is
automatically adjusted to match. For example, this would apply to the
following searches:
yesterday
within the last 5 days
on Jan 1, 2023
If the search statement can't be interpreted, you see the following
message: "Sorry, no valid query could be generated. Try asking a
different way."
Review the generated search query. The syntax is YARA-L
2.0.
Optional: Adjust the search time range.
Click Run Search.
Review the search results to determine if the event is present. If needed,
use search filters to narrow the list of results.
Provide feedback about the query using the Generated Query feedback
icons. Select one of the following:
If the query returns the expected results, click thumb_upThumbs Up.
If the query does not return the expected results, click thumb_downThumbs Down.
Optional: Include additional detail in the Feedback field.
To submit a revised search query that helps improve results:
Edit the search query that was generated.
Click Submit.
If you didn't rewrite the query, you're prompted to edit the query.
If you did rewrite the query, the revised search query is sanitized
for sensitive data and used to improve results.
Delete a chat session
You can delete your chat conversation session or delete all chat sessions.
Gemini maintains all user conversation histories privately and adheres
to Google Cloud's responsible AI
practices. User history is never used to train models.
In the Gemini pane, select Delete chat from the menu at the
top right.
Click Delete chat at the bottom right to delete the current chat
session.
Optional: To delete all chat sessions, select Delete all chat sessions
and then click Delete all chats.
Provide feedback
You can provide feedback to responses generated by the Gemini AI
investigation assistance. Your feedback helps Google improve the feature and the
output generated by Gemini.
In the Gemini pane, click thumb_upThumb Up or thumb_downThumb Down.
Optional: Click thumb_downThumb Down and provide feedback.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eGemini can be used within Google SecOps to generate search queries, either through the dedicated Gemini pane or by using the natural language search bar.\u003c/p\u003e\n"],["\u003cp\u003eUsing the Gemini pane is the recommended method for generating search queries, where you input a natural language prompt and Gemini will convert it to a YARA-L 2.0 search query.\u003c/p\u003e\n"],["\u003cp\u003eYou can also input natural language search terms directly into the Google SecOps search bar, and Gemini will translate this into a search query.\u003c/p\u003e\n"],["\u003cp\u003eAfter generating a query, you can run the search, refine it, and provide feedback to help improve Gemini's query generation capabilities.\u003c/p\u003e\n"],["\u003cp\u003eChat sessions with Gemini can be deleted individually or in their entirety, while also ensuring Google's responsible AI practices for user privacy and data management.\u003c/p\u003e\n"]]],[],null,["# Generate search queries with Gemini\n===================================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n\nThis document explains how you can use Gemini to generate search queries from the Gemini\npane or when using Google Security Operations search.\n\nFor best results, we recommend using the Gemini pane to generate search\nqueries.\n\n- [Generate a search query using the Gemini pane](#udm-query-gemini)\n\n- [Generate a search query using natural language](#nl-to-udm)\n\nGenerate a search query using the Gemini pane\n---------------------------------------------\n\n1. Sign in to Google SecOps.\n2. Click the Gemini logo to open the Gemini pane.\n3. Enter a natural language prompt and press **Enter**. The natural language\n prompt must be in English.\n\n **Figure 1.** Open Gemini pane and enter prompt.\n4. Review the generated search query. The search query uses YARA-L 2.0 syntax.\n If the generated search query meets your requirements, click **Run search**.\n Gemini produces a results summary along with suggested actions.\n\n### Example search prompts and follow-up questions\n\n- `Show me all failed logins for the last 3 days`\n - `Generate a rule to help detect that behavior in the future`\n- `Show me events associated with the principle user izumi.n`\n - `Who is this user?`\n- `Search for all of the events associated with the IP 198.51.100.121 in the\n last 3 hours`\n - `List all of the domains in the results set`\n - `What types of events were returned?`\n- `Show me events from my firewall in the last 24 hours`\n - `What were the 16 unique hostnames in the results set?`\n - `What were the 9 unique IPs associated with the results set?`\n\nGenerate a search query using natural language\n----------------------------------------------\n\nUsing the Google SecOps search feature, you can enter a natural\nlanguage query about your data, and Gemini can translate this into a\nsearch query to run against UDM events.\n\nFor better results, we recommend using the [Gemini pane to generate\nsearch queries](#udm-query-gemini).\n\nTo use a natural language search to create a search query, complete the\nfollowing steps:\n\n1. Sign in to Google SecOps.\n2. Go to **Investigation \\\u003e SIEM Search**.\n3. Enter a search statement in the natural language query bar and click\n **Generate Query**. You must use English for the search.\n\n **Figure 2.** Enter a natural language search and click **Generate Query**.\n\n The following statements are examples that might generate a useful search: \n \u003cbr /\u003e\n\n - *network connections from 10.5.4.3 to google.com*\n - *failed user logins over the last 3 days*\n - *emails with file attachments sent to john@example.com or jane@example.com*\n - *all Cloud service accounts created yesterday*\n - *outbound network traffic from 10.16.16.16 or 10.17.17.17*\n - *all network connections to facebook.com or tiktok.com*\n - *service accounts created in Google Cloud yesterday*\n - *Windows executables modified between 8 AM and 1 PM on May 1, 2023*\n - *all activity from winword.exe on lab-pc*\n - *scheduled tasks created or modified on exchange01 during the last week*\n - *email messages that contain PDF attachments*\n - *emails sent by or sent from admin@acme.com on September 1*\n - *any files with the hash 44d88612fea8a8f36de82e1278abb02f*\n - *all activity associated with user \"sam@acme.com\"*\n4. If the search statement includes a time-based term, the time picker is automatically adjusted to match. For example, this would apply to the following searches: \n- *yesterday*\n- *within the last 5 days*\n- *on Jan 1, 2023*\n5. If the search statement can't be interpreted, you see the following message: \n \"Sorry, no valid query could be generated. Try asking a different way.\"\n6. Review the generated search query. The syntax is [YARA-L\n 2.0](/chronicle/docs/detection/yara-l-2-0-syntax).\n\n7. Optional: Adjust the search time range.\n\n8. Click **Run Search**.\n\n9. Review the search results to determine if the event is present. If needed,\n use search filters to narrow the list of results.\n\n10. Provide feedback about the query using the **Generated Query** feedback\n icons. Select one of the following:\n\n - If the query returns the expected results, click thumb_up **Thumbs Up**.\n - If the query does not return the expected results, click thumb_down **Thumbs Down**.\n - Optional: Include additional detail in the **Feedback** field.\n11. To submit a revised search query that helps improve results:\n\n 1. Edit the search query that was generated.\n 2. Click **Submit** .\n - If you didn't rewrite the query, you're prompted to edit the query.\n - If you did rewrite the query, the revised search query is sanitized for sensitive data and used to improve results.\n\n### Delete a chat session\n\nYou can delete your chat conversation session or delete all chat sessions.\nGemini maintains all user conversation histories privately and adheres\nto Google Cloud's [responsible AI\npractices](/duet-ai/docs/discover/responsible-ai). User history is never used to train models.\n\n1. In the Gemini pane, select **Delete chat** from the menu at the top right.\n2. Click **Delete chat** at the bottom right to delete the current chat session.\n3. Optional: To delete all chat sessions, select **Delete all chat sessions** and then click **Delete all chats**.\n\n### Provide feedback\n\nYou can provide feedback to responses generated by the Gemini AI\ninvestigation assistance. Your feedback helps Google improve the feature and the\noutput generated by Gemini.\n\n1. In the Gemini pane, click thumb_up **Thumb Up** or thumb_down **Thumb Down**.\n2. Optional: Click thumb_down **Thumb Down** and provide feedback.\n3. Click **Send feedback**.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
