[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-08-21。"],[[["\u003cp\u003eGoogle Security Operations enriches ingested data with contextual information from various sources to aid security analysts during investigations.\u003c/p\u003e\n"],["\u003cp\u003eAnalysts can leverage VirusTotal-enriched metadata, such as process module details, to refine searches and identify potential threats within their environment.\u003c/p\u003e\n"],["\u003cp\u003eGeolocation-enriched fields, including country, state, longitude, latitude, ASN, and organization name, can be used in searches to provide deeper insights into network activities.\u003c/p\u003e\n"],["\u003cp\u003eGeolocation data in fields such as Network Connections, can be used to search for specific, or unauthorized target geographies.\u003c/p\u003e\n"],["\u003cp\u003eGeolocation data are displayed in the UDM grid views across various security operations features such as search, detection view, user view and event viewer.\u003c/p\u003e\n"]]],[],null,["# Use context-enriched data in search\n===================================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n\nTo enable security analysts during an investigation, Google Security Operations ingests contextual\ndata from different sources, normalizes the ingested data, and\nprovides additional context about artifacts in a customer environment. This\ndocument provides examples of how analysts can use contextually-enriched data\nin search.\n\nFor more information about data enrichment, see [How Google SecOps enriches event and entity data](/chronicle/docs/event-processing/data-enrichment).\n\nUse VirusTotal-enriched metadata fields in search\n-------------------------------------------------\n\nThe following example finds a process module that loads a `kernel32.dll`\nfile into a particular process. \n\n metadata.event_type = \"PROCESS_MODULE_LOAD\" AND\n target.file.file_type = \"FILE_TYPE_PE_EXE\" AND\n target.file.pe_file.imports.library = \"kernel32.dll\"\n\nUse geolocation-enriched fields in search\n-----------------------------------------\n\nGoogle SecOps enriches events containing external IP addresses with geolocation data.\nThis provides additional context during an investigation. This document explains\nhow you can use geolocation-enriched fields when performing investigative searches.\n\nGeolocation-enriched UDM fields can be accessed through search as shown in the following examples:\n\n#### Search by country name (country_or_region)\n\n target.ip_geo_artifact.location.country_or_region = \"Netherlands\" OR\n principal.ip_geo_artifact.location.country_or_region = \"Netherlands\"\n\n#### Search by state\n\n target.ip_geo_artifact.location.state = \"North Holland\" OR\n principal.ip_geo_artifact.location.state = \"North Holland\"\n\n#### Search by longitude and latitude\n\n principal.location.region_latitude = 52.520588 AND principal.location.region_longitude = 4.788474\n\n#### Search by unauthorized target geographies\n\n metadata.event_type = \"NETWORK_CONNECTION\" AND\n (\n target.ip_geo_artifact.location.country_or_region = \"Cuba\" OR\n target.ip_geo_artifact.location.country_or_region = \"Iran\" OR\n target.ip_geo_artifact.location.country_or_region = \"North Korea\" OR\n target.ip_geo_artifact.location.country_or_region = \"Russia\" OR\n target.ip_geo_artifact.location.country_or_region = \"Syria\"\n )\n\n#### Search by Autonomous System Number (ASN)\n\n metadata.event_type = \"NETWORK_CONNECTION\" AND\n (\n target.ip_geo_artifact.network.asn = 33915\n )\n\n#### By organization name\n\n metadata.event_type = \"NETWORK_CONNECTION\" AND\n (\n target.ip_geo_artifact.network.organization_name = \"google\"\n )\n\n#### By carrier name\n\n metadata.event_type = \"NETWORK_CONNECTION\" AND\n (\n target.ip_geo_artifact.network.carrier_name = \"google llc\"\n )\n\n#### By DNS domain\n\n metadata.event_type = \"NETWORK_CONNECTION\" AND\n (\n target.ip_geo_artifact.network.dns_domain = \"lightower.net\"\n )\n\nView geolocation-enriched fields in the UDM grid\n------------------------------------------------\n\nGeolocation-enriched fields are displayed in UDM grid views including those in Search,\nDetection View, User View, and Event Viewer.\n\nWhat's next\n-----------\n\nFor information about how to use enriched data with other Google SecOps\nfeatures, see the following:\n\n- [Use context-enriched data in rules](/chronicle/docs/detection/use-enriched-data-in-rules).\n- [Use context-enriched data in reports](/chronicle/docs/reports/use-enriched-data-in-reports).\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
