Stay organized with collectionsSave and categorize content based on your preferences.
Review potential security issues with Google Security Operations
This document describes how to conduct searches when investigating alerts and
potential security issues using Google Security Operations.
Before you begin
Google Security Operations is designed to work exclusively with the Google Chrome or Mozilla Firefox browsers.
Google recommends upgrading your browser to the most current version. You can download the latest version of Chrome fromhttps://www.google.com/chrome/.
Google SecOps is integrated into your single sign-on solution (SSO).
You can log in to Google SecOps using the credentials provided by your enterprise.
Launch Chrome or Firefox.
Ensure you have access to your corporate account.
To access the Google SecOps application, wherecustomer_subdomainis your customer-specific identifier, navigate to:
https://customer_subdomain.backstory.chronicle.security.
Viewing Alerts and IOC Matches
In the navigation bar, selectDetections > Alerts and IOCs.
Click theIOC Matchestab.
Searching for IOC matches inDomainview
TheDomaincolumn in theIOC Domain Matchestab contains a list of
suspect domains. Clicking on a domain in this column opensDomainview, as shown
in the following figure, providing detailed information about this domain.
Domainview
Using the Google Security Operations Search field
Initiate a search directly from the Google Security Operations home page, as shown in the following figure.
Google Security OperationsSearchfield
On this page, you can enter the following search terms:
Hostname displaysDomainview
(for example, plato.example.com)
Domain displaysDomainview
(for example, altostrat.com)
IP address displaysIP Addressview
(for example, 192.168.254.15)
URL displaysDomainview
(for example, https://new.altostrat.com)
Username displaysAssetview
(for example, betty-decaro-pc)
File hash displaysHashview
(for example, e0d123e5f316bef78bfdf5a888837577)
You do not have to specify which type of search term you are entering,
Google Security Operations determines it for you. The results are shown in the
appropriate investigative view. For example, typing a username in the search field
displaysAssetview.
Searching raw logs
You have the option of searching the indexed database or searching raw
logs. Searching raw logs is a more comprehensive search, but takes
longer than an indexed search.
To further pinpoint your search, you can use regular expressions, make the
search entry case sensitive, or select log sources. You can also select
the timeline you want using theStartandEndtime fields.
To conduct a raw log search, complete the following steps:
Type in your search term, and then selectRaw Log Scanin the dropdown menu,
as shown in the following figure.
Dropdown menu showingRaw Log Scanoption
After setting your raw search criteria, click theSearchbutton.
FromRaw Log Scanview, you can further analyze your log data.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-07 UTC."],[[["\u003cp\u003eGoogle Security Operations helps investigate security issues using various views like Domain, User, and Asset, each providing specific insights into potential threats.\u003c/p\u003e\n"],["\u003cp\u003eUsers can access Google Security Operations through Chrome or Firefox using their enterprise single sign-on credentials, by navigating to a customer-specific URL.\u003c/p\u003e\n"],["\u003cp\u003eThe platform allows searching for IOC matches and viewing alerts, and you can use the built-in search bar with various terms like hostnames, domains, IP addresses, URLs, usernames, and file hashes, which automatically direct you to the appropriate view.\u003c/p\u003e\n"],["\u003cp\u003eIt offers both indexed database and raw log searches, with raw log searches being more comprehensive and allowing for further refinement using regular expressions, case sensitivity, log sources, and custom timelines.\u003c/p\u003e\n"],["\u003cp\u003eNavigating to a user or asset view can be done from the Enterprise insights page by clicking on the user or asset name from the recent alerts section, allowing for further investigation.\u003c/p\u003e\n"]]],[],null,["Review potential security issues with Google Security Operations\n\nThis document describes how to conduct searches when investigating alerts and\npotential security issues using Google Security Operations.\n\nBefore you begin\n\nGoogle Security Operations is designed to work exclusively with the Google Chrome or Mozilla Firefox browsers.\n| **Note:** Google SecOps doesn't support multiple concurrent logins for the same profile.\n\nGoogle recommends upgrading your browser to the most current version. You can download the latest version of Chrome from \u003chttps://www.google.com/chrome/\u003e.\n\nGoogle SecOps is integrated into your single sign-on solution (SSO).\nYou can log in to Google SecOps using the credentials provided by your enterprise.\n\n1. Launch Chrome or Firefox.\n\n2. Ensure you have access to your corporate account.\n\n3. To access the Google SecOps application, where \u003cvar translate=\"no\"\u003ecustomer_subdomain\u003c/var\u003e\n is your customer-specific identifier, navigate to:\n https://\u003cvar translate=\"no\"\u003ecustomer_subdomain\u003c/var\u003e.backstory.chronicle.security.\n\nViewing Alerts and IOC Matches\n\n1. In the navigation bar, select **Detections \\\u003e Alerts and IOCs**.\n\n2. Click the **IOC Matches** tab.\n\nSearching for IOC matches in **Domain** view\n\nThe **Domain** column in the **IOC Domain Matches** tab contains a list of\nsuspect domains. Clicking on a domain in this column opens **Domain** view, as shown\nin the following figure, providing detailed information about this domain.\n\n\n**Domain** view\n\nUsing the Google Security Operations Search field\n\nInitiate a search directly from the Google Security Operations home page, as shown in the following figure.\n\n\nGoogle Security Operations **Search** field\n\nOn this page, you can enter the following search terms:\n\n|-------------------------------------------|-------------------------------------------------|\n| - Hostname displays **Domain** view | (for example, plato.example.com) |\n| - Domain displays **Domain** view | (for example, altostrat.com) |\n| - IP address displays **IP Address** view | (for example, 192.168.254.15) |\n| - URL displays **Domain** view | (for example, https://new.altostrat.com) |\n| - Username displays **Asset** view | (for example, betty-decaro-pc) |\n| - File hash displays **Hash** view | (for example, e0d123e5f316bef78bfdf5a888837577) |\n\n\u003cbr /\u003e\n\nYou do not have to specify which type of search term you are entering,\nGoogle Security Operations determines it for you. The results are shown in the\nappropriate investigative view. For example, typing a username in the search field\ndisplays **Asset** view.\n\nSearching raw logs\n\nYou have the option of searching the indexed database or searching raw\nlogs. Searching raw logs is a more comprehensive search, but takes\nlonger than an indexed search.\n\nTo further pinpoint your search, you can use regular expressions, make the\nsearch entry case sensitive, or select log sources. You can also select\nthe timeline you want using the **Start** and **End** time fields.\n\nTo conduct a raw log search, complete the following steps:\n\n1. Type in your search term, and then select **Raw Log Scan** in the dropdown menu,\n as shown in the following figure.\n\n\n Dropdown menu showing **Raw Log Scan** option\n2. After setting your raw search criteria, click the **Search** button.\n\n3. From **Raw Log Scan** view, you can further analyze your log data."]]
Domainview
Google Security Operations Searchfield
Dropdown menu showing Raw Log Scanoption