Search

The search function lets you find Unified Data Model (UDM) events and alerts within your Google Security Operations instance using YARA-L 2.0 syntax. Search includes a variety of options to help you navigate through your UDM data. You can search for individual UDM events and groups of UDM events tied to shared search terms.

On systems that use data RBAC, you can only see data that matches your scopes. For more information, see data RBAC impact on Search.

For Google SecOps customers, alerts can also be ingested from connectors and webhooks. You can use search to find these alerts as well.

For more information about UDM, see Format log data as UDM and UDM field list.

Access search

You can access Google SecOps search using the following options:

• On the navigation bar, click Investigation > Search.

• In the Search field, enter a valid UDM field for any search field in Google SecOps, and then press CTRL+Enter.

  

  Figure 1. Example of the Search window used to explore event trends.

The following sections detail how to use the search features.

Use the search feature

• A search expression consists of a UDM field to search, an operator, and a data value to search for.

• If the query expression is valid, the Google SecOps console enables the Run search button.

• UDM queries are based on fields defined in the Unified Data Model field list. You can browse and select these UDM fields using Filters or Raw Log Search.

• To adjust the number of events returned, click more_vert More and select Search Settings. For details, see Search settings.

• To change the data range, open the Date range window.

To use the search feature, complete the following steps:

1. Go to the Search page.
2. In the Search field, enter a search expression.
3. To search for events, enter a UDM field name in the Search field. As you type, the automatic completion feature suggests valid UDM fields based on your input.

4. Once you have entered a valid UDM field, select a valid operator. The user interface displays the available valid operators based on the UDM field you entered. The following operators are supported:

   • <, >
   • <=, >=
   • =, !=
   • nocase -- supported for strings

5. After you enter a valid UDM field and operator, add the log data value you want to search for. For details, see Format the data value to search for.

6. Click Run search to run your search.

   The event results are displayed in the Events timeline table on the Search page.

7. Optional: Narrow the results by adding additional UDM filters manually or using the console.

Format the data value to search for

Format the data value using the following guidelines:

• Data type: Format the data value based it's the data type:

  • Enumerated values: Use a valid enumerated value defined for the selected UDM field.

    For example: A text value, all caps enclosed in double quotes:

    metadata.event_type = "NETWORK_CONNECTION"

  • Additional values: Use the field[key\] = value format to search within additional and labels fields.

    For example:

    additional.fields["key"]="value"

  • Boolean values: Use true or false (case-insensitive, no quotes needed).

    For example:

    network.dns.response = true

  • Integers: Use numeric values without quotes.

    For example:

    target.port = 443

  • Float values: For UDM fields of the float type, enter a decimal value, such as 3.1, or an integer, such as 3.

    For example:

    security_result.about.asset.vulnerabilities.cvss_base_score = 3.1

  • Regular expressions: Enclose the regular expression between forward slashes (/).

    For example:

    • principal.ip = /10.*/

    • Search for the execution of psexec.exe (Window):

      target.process.command_line = /\bpsexec(\.exe)?\b/ nocase

    For details about regular expressions, see the regular expressions page.

  • Strings: Enclose text values in double quotes.

    For example:

    metadata.product_name = "Google Cloud VPC Flow Logs"

• Case-insensitive strings: Use the nocase operator to match any combination of uppercase and lowercase characters in a string.

  For example:

  • principal.hostname != "http-server" nocase
  • principal.hostname = "JDoe" nocase
  • principal.hostname = /dns-server-[0-9]+/ nocase

• Escape characters in strings: Escape special characters with a backslash, as follows:

  • Use \\ to escape a backslash (\).
  • Use \" to escape a double quote (").

  For example:

  • principal.process.file.full_path = "C:\\Program Files (x86)\\Google\\Application\\chrome.exe"
  • target.process.command_line = "cmd.exe /c \"c:\\program files\\a.exe\""

• Boolean expressions: Use AND, OR, and NOT to combine conditions and narrow results.

  The following examples show supported boolean operators (AND, OR, and NOT):

  • A AND B
  • A OR B

  • Use parentheses ( ) to group expressions and control evaluation order:

    (A OR B) AND (B OR C) AND (C OR NOT D)

  Examples:

  • Search for login events on the finance server:

    metadata.event_type = "USER_LOGIN" and target.hostname = "finance-svr"

  • Use the operator (>) to search for connections where more than 10 MB of data was sent:

    metadata.event_type = "NETWORK_CONNECTION" and network.sent_bytes > 10000000

  • Use multiple conditions to search for winword.exe launching cmd.exe or powershell.exe:

    metadata.event_type = "PROCESS_LAUNCH" and
     principal.process.file.full_path = /winword/ and
     (target.process.file.full_path = /cmd.exe/ or
      target.process.file.full_path = /powershell.exe/)

• Search key-value pairs in additional and labels fields:

  The additional and labels fields act as customizable containers for event data that doesn't map to standard UDM fields. Each entry stores a single key-value pair.

  • additional fields may contain multiple key-value pairs.
  • labels fields can only contain a single key-value pair.

  Use this syntax to specify the key-value pairs to search in the additional and labels fields:

  field[key\] = value.

  For example:

  additional.fields["key"]="value"

  Examples of searches using specific key-value pairs in the additional and labels fields:

  • Search for events containing specified key-value pairs:

    • additional.fields["pod_name"] = "kube-scheduler"

    • metadata.ingestion_labels["MetadataKeyDeletion"] = "startup-script"

  • Use the AND operator with key-value pair searches:

    additional.fields["pod_name"] = "kube-scheduler" AND additional.fields["pod_name1"] = "kube-scheduler1"

  • Search for all events that contain the specified key, regardless of the value:

    additional.fields["pod_name"] != ""

  • Search for events that contain a specific key, using a regular expression:

    additional.fields.value.string_value = "mystring"

  • Search for events that use multiple keys with the same name, using a regular expression:

    additional.fields.key = /myKeynumber_*/

  • Use regular expressions and the nocase operator:

    • additional.fields["pod_name"] = /br/

    • additional.fields["pod_name"] = bar nocase

• Use block and single-line comments.

  • Use a block comment:

      additional.fields["pod_name"] = "kube-scheduler"
      /*
      Block comments can span
      multiple lines.
      */
      AND additional.fields["pod_name1"] = "kube-scheduler1"

  • Use a single-line comment:

    additional.fields["pod_name"] != "" // my single-line comment

Search settings

You can set the maximum number of search results in UDM Search settings. These settings are user-specific.

1. Click Search settings from the more_vertMore next to Run search.

2. Select Max Results to Return. The options are 1K, 10K, 100K, 1M and custom, which can take values between 1 and 1M. The default value is 1M. Queries usually run faster when you choose a smaller result set size.

Search returns too many results

If your search is too broad, Google SecOps displays a warning message indicating that not all search results can be shown.

In such cases, the system retrieves only the latest results, up to the search limit of 1M events and 1,000 alerts. However, there may be many more matching events and alerts that are not displayed.

To ensure you capture all relevant results, consider refining your search by applying additional filters. Narrowing the search scope helps reduce the dataset to a manageable size and improves accuracy. We recommend adjusting and rerun the search until the results fall within the system's display limit.

The search results page displays the latest 10,000 results. You can filter and refine the search results to display the older results, as an alternative to modifying and rerunning the search.

Search grouped fields

Grouped fields are aliases for groups of related UDM fields. You can use them to query multiple UDM fields at the same time without typing each field individually.

The following example shows how to enter a query to match the common UDM fields that might contain the specified IP address:

ip = "1.2.3.4"

You can match a grouped field using a regular expression and using the nocase operator. Reference lists are also supported. Grouped fields can also be used in combination with regular UDM fields as shown in the following example:

ip = "5.6.7.8" AND metadata.event_type = "NETWORK_CONNECTION"

Grouped fields have a separate section in Aggregations.

Types of grouped UDM fields

You can search across all of the following grouped UDM fields:

Find a UDM field for search query

While writing a search query, you may not know which UDM field to include. The UDM Lookup lets you quickly find a UDM field name that contains a text string in the name or that stores a specific string value. The UDM Lookup function is not intended to be used to search other data types, such as bytes, boolean, or numeric. You select one or more results returned by UDM Lookup, and use it as a starting point for a Search query.

To use UDM Lookup, do the following:

1. On the Search page, click UDM Lookup.

2. In the UDM Lookup dialog, select one or more of the following matching options, to specify the scope of data to search:

   • UDM Fields: Search for text in UDM field names.

     For example: network.dns.questions.name or principal.ip

   • Values: Search for text in the values assigned to UDM Fields.

     For example: dns or google.com.

3. Enter or modify the string in the UDM fields/values Look up field. As you type, search results appear in the dialog.

   The results are slightly different when searching in UDM Fields versus Values:

   • Searching for a text string in UDM field names returns an exact match found at any location in the name.

     

     Figure 3. Search within UDM field names in the UDM Lookup.

   • Searching for text in Values returns results as follows:

     • If the string is found at the beginning or end of the value, it is highlighted in the result, along with the UDM field name and the log ingestion time.
     • If the text string is found elsewhere in the value, the result displays the UDM field name and the text Possible value match.

     

     Figure 2. Search within Values in the UDM Lookup.

4. In the results list, you can perform the following:

   • Click the name of a UDM field to see a description of that field.

   • Select one or more results by clicking the checkbox on the left of each UDM field name.

   • Click the Reset button to deselect all selected fields in the results list.

5. To append the selected results to the Search field on the Search page, do one of the following:

   • Click Append to search.

   • Click Copy UDM to copy the selected results to the clipboard. Then, close the UDM Lookup dialog, and paste the search query string into the Search field on the Search page.

   Google SecOps converts the selected results to a search query string as the UDM field name or a name-value pair. If you append multiple results, each result is added to the end of the existing query in the Search field using the OR operator.

   The appended query string is different depending on the type of match returned by UDM Lookup.

   • If the result matches a text string in a UDM field name, the full UDM field name is appended to the query. For example:

     principal.artifact.network.dhcp.client_hostname

   • If the result matches a text string at the beginning or end of a value, the name-value pair contains the UDM field name and the complete value in the result. The following are examples:

     • metadata.log_type = "PCAP_DNS"

     • network.dns.answers.name = "dns-A901F3j.hat.example.com"

   • If the result includes the text Possible value match, the name-value pair contains the UDM field name and a regular expression containing the search term. For example:

     principal.process.file.full_path = /google/ NOCASE

6. The query string generated by UDM Lookup serves as a starting point for a search query. Edit the Search query on the Search page to fit your use case.

UDM Lookup behavior summary

This section provides more details about UDM Lookup capabilities.

• UDM Lookup searches data ingested after August 10, 2023. Data ingested before this is not searched. It returns results found in unenriched UDM fields. It does not return matches to enriched fields. For information about enriched versus unenriched fields, see View events in the Event Viewer.
• Searches using UDM Lookup are case-insensitive. The term hostname returns the same result as HostName.
• Hyphens (-) and underscores (_) in a query text string are ignored when searching Values. The text string dns-l and dnsl both return the value dns-l.

• When searching Values, UDM Lookup does not return matches in the following cases:

  Matches in the following UDM fields:	metadata.product_log_id network.session_id security_result.rule_id network.parent_session_id
  Matches in UDM fields with a full path that ends in one of the following values:	.pid For example target.process.pid. .asset_id For example principal.asset_id. .product_specific_process_id For example principal.process.product_specific_process_id. .resource.id For example principal.resource.id.

  
  

• When searching Values, UDM Lookup displays Possible value match when a match is found in the following cases:

  Matches in the following UDM fields:	metadata.description security_result.description security_result.detection_fields.value security_result.summary network.http.user_agent
  Matches in fields with a full path that ends in one of the following values:	.command_line For example principal.process.command_line. .file.full_path For example principal.process.file.full_path. .labels.value For example src.labels.value. .registry.registry_key For example principal.registry.registry_key. .url For example principal.url.
  Matches in fields with a full path that begins with the following values:	additional.fields.value. For example additional.fields.value.null_value.

View alerts in search

To view alerts, click the Alerts tab, located next to the Events tab, at the top right of the Search page.

How alerts are surfaced

Google SecOps evaluates the events returned in search against events that exist for alerts in the customer environment. When a search query event matches an event present in an alert, it is displayed in the Alert timeline and the resulting Alert table.

Definition of events and alerts

An event is generated from a raw log source that is ingested into Google SecOps and processed by Google SecOps's ingestion and normalization process. Multiple events can be generated from a single raw log source record. An event represents a set of security-relevant data points that are generated from that raw log.

In search, an alert is defined as a YARA-L rule detection with alerting enabled. See running a rule against live data to learn more.

Other sources of data can be ingested into Google SecOps as alerts, such as Crowdstrike Falcon Alerts. These alerts don't surface within search unless they are processed by the Google SecOps Detection Engine as a YARA-L rule.

Events that are associated with one or more alerts are marked with an Alert chip in the Event Timeline. If there are multiple alerts associated with the timeline, the chip displays the numbers of associated alerts.

The timeline displays the latest 1,000 alerts retrieved from search results. When the 1,000 limit is reached, no more alerts are retrieved. To make sure you see all the results relevant to your search, refine your search with filters.

How to investigate an alert

To learn how to use Alert graph and Alert details to investigate an alert, follow the steps outlined in Investigate an alert.

Use reference lists in searches

The process for applying reference lists in Rules can also be used in search. Up to seven lists may be included in a single search query. All types of reference lists (string, regular expression, CIDR) are supported.

You can create lists of any variable you want to track.

For example, you could create a list of suspicious IP addresses:

// Field value exists in reference list
principal.ip IN %suspicious_ips

You can use multiple lists by using AND or OR:

// multiple lists can be used with AND or OR
principal.ip IN %suspicious_ips AND
principal.hostname IN %suspicious_hostnames

Refine the search results

Use the Search page features to filter and refine results, as an alternative to modifying and rerunning the search. For example:

• Timelines chart
• Aggregations window

Timelines chart

The Timelines chart provides a graphical representation of the number of events and alerts occurring each day that are being surfaced by the current search. Events and alerts are displayed on the same timeline chart, which is available in both the Events and Alerts tab.

The width of each bar depends on the time interval searched. For example, each bar represents 10 minutes when the search spans 24 hours of data. This chart is updated dynamically as you modify the existing search.

Time range adjustment

You can adjust the time range for the chart by moving the white slider controls left and right to adjust the time range and focus on the period of interest. As you adjust the time range, the UDM Fields and Values, and Events tables are updated to reflect the current selection. You can also click a single bar on the graph to list just those events in that time period.

Once you have adjusted the time range, the Filtered Events and Query Events checkboxes will appear, enabling you to further limit the types of events displayed.

Figure 4. Events timelines chart with time range controls.

Aggregations window

The Aggregations window displays Grouped Fields and UDM Fields generated by your UDM search. Grouped Fields are used to search across multiple UDM Fields of a similar type.

A Grouped Field, for example, ip, namespace, or user, is a placeholder variable that groups the values of similar UDM fields. For example, the namespace grouped field groups all the values from the following UDM Fields: principal.namespace, src.namespace, and target.namespace.

An Events count is displayed for each Grouped Field and UDM Field. The Events count is the number of event records having the same value for that field.

Grouped Fields and UDM Fields are sorted from highest to lowest Events count, and in alphabetical order within the same Events count.

To pin a field to the top of the Aggregations list, click the field's keep Keep icon.

Figure 5. Aggregations help identify high frequency values.

Using Aggregations, you can further narrow your UDM search. You can either scroll through the list of UDM fields or search for specific UDM fields or values using the Search field.

Filter aggregation fields

Use filter options to narrow the list of UDM fields displayed in the Aggregations list, as follows:

Figure 6. Example of events that include the selected UDM field value.

1. Select a UDM field in the Aggregations list, to display a list Values for that field.

2. Select a Value from that list and click the more_vert More menu icon.

3. Select one of the filter options:

   • Show only: Only show events that include the selected UDM field value.
   • Filter out: Filter out events that include the selected UDM field value.
   • Copy: Copy the UDM field value to your clipboard.

You can add these additional UDM filters to the Filter events field.

Filter events field

The Filter events field displays the filters you've created, and lets you apply them to the Search field, or remove them as needed.

When you click Apply to search and run, the displayed events are filtered based on the displayed additional filters, and the Search field is updated. The search is automatically run again using the same date and time parameters.

Figure 7. Filter events field.

If you click Add filter, a window opens letting you select additional UDM fields.

Figure 8. Filter events window.

View events in the Events table

All filters and controls affect the list of events shown in the Events table. Click any event to open the Log Viewer, where you can view both the raw log and the corresponding UDM record. When you click the event's timestamp, you can then navigate to the associated Asset, IP address, Domain, Hash, or User view. You can also use the Search field to find a specific event.

View alerts in the Alerts table

You can view alerts by clicking the Alerts tab. Use Aggregations to sort alerts by:

• Case
• Name
• Priority
• Severity
• Status
• Verdict

This helps you to focus on the alerts that are most important to you.

Alerts are displayed on the same timeframe as the events are in the Events tab. This helps you see the connection between events and alerts.

If you want to learn more about a specific alert, click the alert. An individual Alert detail page opens containing in-depth information about that alert.

View events in the Event viewer

To open the Event Viewer, hold the pointer over an event in the Events table and click switch_access_2 Open event viewer.

The Event Viewer has the following tabs: UDM Fields, Raw Log, Alerts, and Entities:

• UDM Fields tab:

  The UDM Fields tab displays the structured list of UDM Fields in the UDM record.

  • Hold the pointer over any UDM field to view its definition.
  • Select a field's checkbox to perform actions on multiple fields.

  • Use the following actions:

    • Filters: Apply the following filters to the list of UDM Fields:

      • Show unenriched fields
      • Show enriched fields
      • Show additional fields
      • Show extracted fields

    • Add to Columns: Add the UDM field as a column.

    • Copy: To copy the selected UDM fields and UDM values to the system clipboard.

  Each UDM field is labeled with an icon indicating whether the field contains enriched or unenriched data. The icon labels are the following:

  • U: Unenriched fields contain values populated during the normalization process using data from the original raw log.

  • E: Enriched fields contain values that Google SecOps populates to provide additional context about artifacts in a customer environment. For more information, see How Google SecOps enriches event and entity data.

    

    Figure 9. UDM fields in the Event Viewer.

• Raw Log tab

  The Raw Log tab displays the original raw log in any of the following formats:

  • Raw
  • JSON
  • XML
  • CSV
  • Hex/ASCII

Use the Columns option for search

Use the Columns option to customize the columns displayed in the Events table. The Columns menu displays, offering different options based on the types of events returned by the search.

Save the set of columns

You can optionally save the set of columns you have selected here by clicking Save. Give the set of selected columns a name and click Save again. You can load a set of saved columns by clicking Load and selecting the set of saved columns from the list.

To download the events displayed, click more_vertMore and select Download as CSV. This will download all the search results, up to 1M events. The console indicates how many events it will download.

Figure 10. Search columns.

Use the Pivot Table to analyze events

The Pivot Table lets you analyze events using expressions and functions against the results from the search.

Complete the following steps to open and configure the Pivot Table:

1. Run a search.

2. Click the Pivot tab to open the Pivot Table.

3. Specify a Group by value to group the events by a specific UDM field. You can display the results using the default capitalization or using lowercase only by selecting lowercase from the menu. This option is only available for string fields. You can specify up to 5 Group by values by clicking Add Field.

   If your Group by value is one of the hostname fields, you will have additional Transform options:

   • Top N-Level Domain: Pick which level of the domain to display. For example, using a value of 1 displays just the top level domain (such as com, gov, or edu). Using a value of 3 displays the next two levels of the domain names (such as google.co.uk).
   • Get Registered Domain: Displays just the registered domain name (such as google.com, nytimes.com, and youtube.com).

   If your Group by value is one of the IP fields, you have additional Transform options:

   • (IP) CIDR Prefix length in bits: You can specify 1 through 32 for IPv4 addresses. For IPv6 addresses, you can specify values up to 128.

   If your Group by value includes a timestamp, you will have additional Transform options:

   • (Time) Resolution in milliseconds
   • (Time) Resolution in seconds
   • (Time) Resolution in minutes
   • (Time) Resolution in hours
   • (Time) Resolution in days

4. Specify a Value for your Pivot from the list of Fields in your results. You can specify up to 5 values. After you specify a Field, you must select a Summarize option. You can summarize by the following options:

   • sum
   • count
   • count distinct
   • average
   • stddev
   • min
   • max

5. Specify a value of Event count to return the number of events identified for this particular search and Pivot Table.

   The Summarize options are not universally compatible with the Group by fields. For example, the sum, average, stddev, min, and max options can only be applied to numeric fields. If you attempt to associate an incompatible Summarize option with a Group by field, you will receive an error message.

6. Specify one or more UDM fields and select one or more sorts by using the Order by option.

7. Click Apply when you're ready. The results are displayed in the Pivot Table.

8. Optional: To download the Pivot Table, click more_vertMore and select Download as CSV. If you did not select a pivot, this option is disabled.

Saved searches and search history overview

Clicking Search manager lets you retrieve saved searches and view your search history. Select a saved search to view additional information, including the title and description.

Saved searches and search history are:

• Stored with your Google SecOps account.

• Only viewable and accessible by the individual user unless you use the Share a search feature to share your search with your organization.

Save a search

To save a search, do the following:

1. From the Search page, click more_horizMore next to Run search and click Save search to use this search later. This opens the Search manager dialog. We recommend giving your saved search a meaningful name and a plain text description of what you're searching for. You can also create a new search from within the Search manager dialog by clicking add Add. Standard UDM editing and completion tools are also available here.

2. Optional: Specify placeholder variables in the format ${<variable name>} using the same format as is used for variables in YARA-L. If you add a variable to a search, you must also include a prompt to help the user understand the required information to enter before they run the search. All variables must be populated with values prior to a search being run.

   For example, you could add metadata.vendor_name = ${vendor_name} to your search. For ${vendor_name}, you need to add a prompt for future users, such as Enter the name of the vendor for your search. Each time a user loads this search in the future, they are prompted to enter the vendor name prior to running the search.

3. Click Save Edits when you're finished.

4. To view saved searches, click Search Manager and then click the Saved tab.

Retrieve a saved search

To retrieve and run a saved search, do the following:

1. In the Search manager dialog, select a saved search from the list to the left. These saved searches are saved to your Google SecOps account.

2. Optional: Delete a search by clicking more_horizMore and selecting Delete search. You can only delete searches you created.

3. You can change the name of the search and the description. Click Save edits when you're finished.

4. Click Load search. The search is loaded into the main search field.

5. Click Run Search to see the events associated with this search.

Retrieve a search from your search history

To retrieve and run a search from your search history, do the following:

1. In the Search Manager, click History.

2. Select a search from your search history. Your search history is saved to your Google SecOps account. You can delete a search by clicking deleteDelete.

3. Click Load search. The search is loaded into the main search field.

4. Click Run search to see the events associated with this search.

Clear, disable, or enable search history

To clear, disable, or enable search history, do the following:

1. In Search Manager, click the History tab.

2. Click more_vertMore.

3. Select Clear History to clear the search history.

4. Click Disable History to disable search history. You have the option to either:

   • Opt-Out Only: Disable search history.

   • Opt-Out and Clear: Disable search history and delete the saved search history.

5. If you have previously disabled search history, you can enable it again by clicking Enable Search History.

6. Click Close to exit Search Manager.

Share a search

Shared searches let you share searches with your team. In the Saved tab, you can share or delete searches. You can also filter your searches by clicking filter_altFilter next to the search bar and sort searches by Show all, Google SecOps defined, Authored by Me, or Shared.

You cannot edit a shared search that is not your own.

1. Click Saved.
2. Click the search you want to share.
3. Click more_horizMore on the right side of the search. A dialog with the option to share your search appears.
4. Click Share With Your Organization.
5. A dialog appears that says Sharing your search will be visible to people in your organization. Are you sure you want to share? Click Share.

If you want the search to only be visible to you, click more_horizMore and click Stop Sharing. If you stop sharing, only you can use this search.

UDM fields that can or cannot be downloaded to CSV from the platform

Supported and unsupported UDM fields for downloading are shown in the following subsections.

Supported fields

You can download the following fields to a CSV file from the platform:

• user

• hostname

• process name

• event type

• timestamp

• raw log (valid only when raw logs are enabled for the customer)

• All fields starting with "udm.additional"

Valid field types

You can download the following field types to a CSV file:

• double

• float

• int32

• uint32

• int64

• uint64

• bool

• string

• enum

• bytes

• google.protobuf.Timestamp

• google.protobuf.Duration

Unsupported fields

Fields that start with "udm" (not udm.additional) and meet either of the following conditions cannot be downloaded to CSV:

• The nesting of the field is more than 10 deep in udm proto.

• The data type is Message or Group.

Factors limiting search results

When conducting UDM searches, the following factors can limit the number of results returned:

• Total results exceeded 1M: Search limits results to 1M events. When results exceed 1M, only 1M results are shown.

• Limiting results to <1M in the platform through search settings: you can configure the default search result set to return fewer than 1M results, improving query speed. If set to <1M, you see fewer results. By default, SecOps search limits the number of results to 30K, but you can change this to up to 1M using search settings on the Results page.

• Search results are limited to 10K: Even if your search returns more than 10,000 results, the console displays only the first 10,000. This limitation of the console doesn't reflect the total number of possible results.

What's next

For information about how to use context-enriched data in search, see Use context-enriched data in search.

Need more help? Get answers from Community members and Google SecOps professionals.