Hi @Zorghost,

The following post is likely of interest - https://www.googlecloudcommunity.com/gc/SIEM-Forum/UDM-Search-to-find-triggered-alerts/m-p/727126

Kind Regards,

Ayman C

This is unfortunately not what I am looking for. I just saw that there was a new feature where I can directly query the alerts using udm search : 

I would like to try to replicate that and create a query to use with the chronicle integration to execute udm query to retrieve the alerts. I saw in some of the blogs that the alerts would have an ALERT tag on them similar to this : 

Yes, it is possible to search for alerts and their details using UDM search. A basic query would be:

alert.name : "*"

You can adjust the query based on specific alert details you're looking for.

Currently, you can search for alerts via the UI in a few different ways.

The most direct way is via the Alerts subtab in the Alerts & IOC section under detection. From there you have a set of filters on the right side to choose from. However, the data available may not be all the fields you want to search on.

Alternatively, you can execute a search under Investigations, sometimes referred to as a SIEM search and you can use all of the fields in UDM to search. When you search completes, you will see 3 subtabs, the overview which provides summary info on the entity, if applicable, as well as the search result summary, the middle subtab will contain the events (with any events that are part of an alert with a flag next to them), and a final subtab for alerts.

This subtab will only return alerts based on the criteria in the UDM search.