Google Security Operations gives you the ability to search through up to a year of the
enterprise data stored in your account. It also includes a number of tools that
let you run multiple UDM search queries and later retrieve and share the results
of those queries.
Use UDM to search up to a year of data
You can conduct a UDM search on up to one year of your UDM data. To adjust the
time period for your UDM search, complete the following steps:
Go to Investigation > SIEM Search.
Click the time selector field to open the time selector dialog.
From the Range tab (the default tab), adjust the time range by selecting
any of the options from Last 5 minutes to Last year.
Use the Start and End fields to choose a more specific
date range (for example, the first two weeks in November).
Adjust the times by selecting specific start and end values, for example,
03:00 and 08:30.
Click Apply and then click Run Search.
Run concurrent searches and manage search queries
Concurrent searches and stored results require the search history feature to be
active. To ensure that search history is on, complete the following steps:
Go to Investigation > SIEM Search.
Click History. If the Search History Is Disabled message is
displayed, proceed to the next step. If you don't see this message, then
Search History is already enabled for your account.
Click
more_vert
and select Opt into search history.
Manage search queries
You can run multiple UDM searches, retrieve previous query search results, and
share your query results with other members of your team:
Run multiple UDM searches: While a search query is in progress, you can
run additional searches in the query editor. Google SecOps continues
running your previous searches and runs the new searches in parallel.
View query results: Scroll through the query history and select search
results within 24 hours of running a query. Click History and select one
of your queries from the list.
In-progress queries are displayed with a circular status icon. Completed
queries are displayed with a green check mark icon, along with a counter
indicating the number of events returned by the query. Click a completed
query to display the results. These results are cached and only include the
data available at query run time. However, you can click
cached
Rerun to run the query against the latest data. This new run is
added to the search history and the results are made available when the
query completes.
Share query results: Copy the URL of the query results to share them
with other users.
When search results are stored, the RBAC scopes of the user who ran the
search are stored with them. When these results are viewed by another user,
the viewer's RBAC scope is compared to the stored scopes. If the viewer's
scopes are more restrictive, an error is displayed and they won't be able to
view the results.
Stored search results expire 24 hours after a query is run. However, your
search query is still available in the History pane. You can rerun your
searches and the results are made available for up to 24 hours after the
query run time.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eGoogle Security Operations allows searching up to one year of enterprise data using UDM.\u003c/p\u003e\n"],["\u003cp\u003eUsers can adjust the time range for UDM searches, from "Last 5 minutes" up to "Last year," and select a specific date and time range.\u003c/p\u003e\n"],["\u003cp\u003eThe platform supports running multiple UDM searches concurrently, with each query being processed in parallel.\u003c/p\u003e\n"],["\u003cp\u003eQuery results are stored and can be retrieved from the history within 24 hours of running them, with the option to rerun queries against the latest data.\u003c/p\u003e\n"],["\u003cp\u003eUsers can share query results by copying the URL, though access is subject to RBAC scope restrictions, ensuring data security.\u003c/p\u003e\n"]]],[],null,["# Use UDM Search time range and manage queries\n============================================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\n\u003cbr /\u003e\n\n| **Note:** This feature is not available to all customers in all regions.\n\n\u003cbr /\u003e\n\nGoogle Security Operations gives you the ability to search through up to a year of the\nenterprise data stored in your account. It also includes a number of tools that\nlet you run multiple UDM search queries and later retrieve and share the results\nof those queries.\n\nUse UDM to search up to a year of data\n--------------------------------------\n\nYou can conduct a UDM search on up to one year of your UDM data. To adjust the\ntime period for your UDM search, complete the following steps:\n\n1. Go to **Investigation \\\u003e SIEM Search**.\n2. Click the time selector field to open the time selector dialog.\n3. From the **Range** tab (the default tab), adjust the time range by selecting any of the options from **Last 5 minutes** to **Last year**.\n4. Use the **Start** and **End** fields to choose a more specific date range (for example, the first two weeks in November).\n5. Adjust the times by selecting specific start and end values, for example, 03:00 and 08:30.\n6. Click **Apply** and then click **Run Search**.\n\nRun concurrent searches and manage search queries\n-------------------------------------------------\n\nConcurrent searches and stored results require the search history feature to be\nactive. To ensure that search history is on, complete the following steps:\n\n1. Go to **Investigation \\\u003e SIEM Search**.\n\n2. Click **History** . If the **Search History Is Disabled** message is\n displayed, proceed to the next step. If you don't see this message, then\n **Search History** is already enabled for your account.\n\n3. Click more_vert and select **Opt into search history**.\n\n### Manage search queries\n\nYou can run multiple UDM searches, retrieve previous query search results, and\nshare your query results with other members of your team:\n\n- **Run multiple UDM searches**: While a search query is in progress, you can\n run additional searches in the query editor. Google SecOps continues\n running your previous searches and runs the new searches in parallel.\n\n- **View query results** : Scroll through the query history and select search\n results within 24 hours of running a query. Click **History** and select one\n of your queries from the list.\n\n In-progress queries are displayed with a circular status icon. Completed\n queries are displayed with a green check mark icon, along with a counter\n indicating the number of events returned by the query. Click a completed\n query to display the results. These results are cached and only include the\n data available at query run time. However, you can click cached **Rerun** to run the query against the latest data. This new run is\n added to the search history and the results are made available when the\n query completes.\n- **Share query results**: Copy the URL of the query results to share them\n with other users.\n\n When search results are stored, the RBAC scopes of the user who ran the\n search are stored with them. When these results are viewed by another user,\n the viewer's RBAC scope is compared to the stored scopes. If the viewer's\n scopes are more restrictive, an error is displayed and they won't be able to\n view the results.\n\n Stored search results expire 24 hours after a query is run. However, your\n search query is still available in the **History** pane. You can rerun your\n searches and the results are made available for up to 24 hours after the\n query run time.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
