Stay organized with collections
Save and categorize content based on your preferences.
Review potential security issues with Google Security Operations
This document describes how to conduct searches when investigating alerts and
potential security issues using Google Security Operations.
Before you begin
Google Security Operations is designed to work exclusively with the Google Chrome or Mozilla Firefox browsers.
Google recommends upgrading your browser to the most current version. You can download the latest version of Chrome from https://www.google.com/chrome/.
Google SecOps is integrated into your single sign-on solution (SSO).
You can log in to Google SecOps using the credentials provided by your enterprise.
Launch Chrome or Firefox.
Ensure you have access to your corporate account.
To access the Google SecOps application, where customer_subdomain
is your customer-specific identifier, navigate to:
https://customer_subdomain.backstory.chronicle.security.
Viewing Alerts and IOC Matches
In the navigation bar, select Detections > Alerts and IOCs.
Click the IOC Matches tab.
Searching for IOC matches in Domain view
The Domain column in the IOC Domain Matches tab contains a list of
suspect domains. Clicking on a domain in this column opens Domain view, as shown
in the following figure, providing detailed information about this domain.
Domain view
Using the Google Security Operations Search field
Initiate a search directly from the Google Security Operations home page, as shown in the following figure.
Google Security Operations Search field
On this page, you can enter the following search terms:
Hostname displays Domain view
(for example, plato.example.com)
Domain displays Domain view
(for example, altostrat.com)
IP address displays IP Address view
(for example, 192.168.254.15)
URL displays Domain view
(for example, https://new.altostrat.com)
Username displays Asset view
(for example, betty-decaro-pc)
File hash displays Hash view
(for example, e0d123e5f316bef78bfdf5a888837577)
You do not have to specify which type of search term you are entering,
Google Security Operations determines it for you. The results are shown in the
appropriate investigative view. For example, typing a username in the search field
displays Asset view.
Searching raw logs
You have the option of searching the indexed database or searching raw
logs. Searching raw logs is a more comprehensive search, but takes
longer than an indexed search.
To further pinpoint your search, you can use regular expressions, make the
search entry case sensitive, or select log sources. You can also select
the timeline you want using the Start and End time fields.
To conduct a raw log search, complete the following steps:
Type in your search term, and then select Raw Log Scan in the dropdown menu,
as shown in the following figure.
Dropdown menu showing Raw Log Scan option
After setting your raw search criteria, click the Search button.
From Raw Log Scan view, you can further analyze your log data.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eGoogle Security Operations helps investigate security issues using various views like Domain, User, and Asset, each providing specific insights into potential threats.\u003c/p\u003e\n"],["\u003cp\u003eUsers can access Google Security Operations through Chrome or Firefox using their enterprise single sign-on credentials, by navigating to a customer-specific URL.\u003c/p\u003e\n"],["\u003cp\u003eThe platform allows searching for IOC matches and viewing alerts, and you can use the built-in search bar with various terms like hostnames, domains, IP addresses, URLs, usernames, and file hashes, which automatically direct you to the appropriate view.\u003c/p\u003e\n"],["\u003cp\u003eIt offers both indexed database and raw log searches, with raw log searches being more comprehensive and allowing for further refinement using regular expressions, case sensitivity, log sources, and custom timelines.\u003c/p\u003e\n"],["\u003cp\u003eNavigating to a user or asset view can be done from the Enterprise insights page by clicking on the user or asset name from the recent alerts section, allowing for further investigation.\u003c/p\u003e\n"]]],[],null,["# Quickstart: Review potential security issues with Google Security Operations\n\nReview potential security issues with Google Security Operations\n================================================================\n\nThis document describes how to conduct searches when investigating alerts and\npotential security issues using Google Security Operations.\n\nBefore you begin\n----------------\n\nGoogle Security Operations is designed to work exclusively with the Google Chrome or Mozilla Firefox browsers.\n| **Note:** Google SecOps doesn't support multiple concurrent logins for the same profile.\n\nGoogle recommends upgrading your browser to the most current version. You can download the latest version of Chrome from \u003chttps://www.google.com/chrome/\u003e.\n\nGoogle SecOps is integrated into your single sign-on solution (SSO).\nYou can log in to Google SecOps using the credentials provided by your enterprise.\n\n1. Launch Chrome or Firefox.\n\n2. Ensure you have access to your corporate account.\n\n3. To access the Google SecOps application, where \u003cvar translate=\"no\"\u003ecustomer_subdomain\u003c/var\u003e\n is your customer-specific identifier, navigate to:\n https://\u003cvar translate=\"no\"\u003ecustomer_subdomain\u003c/var\u003e.backstory.chronicle.security.\n\nViewing Alerts and IOC Matches\n------------------------------\n\n1. In the navigation bar, select **Detections \\\u003e Alerts and IOCs**.\n\n2. Click the **IOC Matches** tab.\n\nSearching for IOC matches in **Domain** view\n--------------------------------------------\n\nThe **Domain** column in the **IOC Domain Matches** tab contains a list of\nsuspect domains. Clicking on a domain in this column opens **Domain** view, as shown\nin the following figure, providing detailed information about this domain.\n\n\n**Domain** view\n\nUsing the Google Security Operations Search field\n-------------------------------------------------\n\nInitiate a search directly from the Google Security Operations home page, as shown in the following figure.\n\n\nGoogle Security Operations **Search** field\n\nOn this page, you can enter the following search terms:\n\n\u003cbr /\u003e\n\nYou do not have to specify which type of search term you are entering,\nGoogle Security Operations determines it for you. The results are shown in the\nappropriate investigative view. For example, typing a username in the search field\ndisplays **Asset** view.\n\nSearching raw logs\n------------------\n\nYou have the option of searching the indexed database or searching raw\nlogs. Searching raw logs is a more comprehensive search, but takes\nlonger than an indexed search.\n\nTo further pinpoint your search, you can use regular expressions, make the\nsearch entry case sensitive, or select log sources. You can also select\nthe timeline you want using the **Start** and **End** time fields.\n\nTo conduct a raw log search, complete the following steps:\n\n1. Type in your search term, and then select **Raw Log Scan** in the dropdown menu,\n as shown in the following figure.\n\n\n Dropdown menu showing **Raw Log Scan** option\n2. After setting your raw search criteria, click the **Search** button.\n\n3. From **Raw Log Scan** view, you can further analyze your log data."]]
Domain view
Google Security Operations Search field
Dropdown menu showing Raw Log Scan option