I’m looking for explanations, recommendations, or general guidance to help us achieve a more consistent and reliable experience when using the Research Tools and Monitors within Google Threat Intelligence.
We regularly search for intelligence related to specific organizations using Digital Threat Monitoring Research Tools. A simplified example of a query we commonly use is below (in practice, we often include additional AND conditions to narrow the scope):
domain:"company.com" OR group_brand:"Company"
However, we’ve encountered several recurring issues and inconsistencies that make it challenging to reliably search for and analyze intelligence. I’ve outlined the primary concerns below.
Observed Issues
-
Inconsistent query execution
- The same query may time out multiple times before eventually succeeding.
- For example, running the same search five times may result in four timeouts followed by one successful execution.
- In other cases, a query will work without issue, but when rerun later (with no changes), it times out.
-
Date range limitations
- We are sometimes prompted to reduce the date range to resolve timeouts.
- In practice, this may require limiting the range to as little as one week, even when the intelligence we are looking for is several months old (e.g., three months).
-
Filtering appears to reduce performance
- In some cases, a base query returns 200+ results successfully.
- When we apply additional filters (such as collection type or threat type) to reduce the result set, the query then times out.
- Logically, we would expect filtering to reduce the workload rather than increase it, which makes this behavior difficult to understand.
-
Additional query constraints causing timeouts
- Adding additional monitor fields can also cause timeouts.
- For example, a query that works initially may time out after adding a condition such as:
AND group_threats:"CL0P" - This behavior seems consistent whether the constraint is an inclusion or an exclusion.
-
Exclusions and query size
- When searching for malicious domains, excluding known or owned domains (which we know to be non-malicious) can cause the query to time out.
- This appears to scale with the size of the exclusion list: a small number of exclusions may work, but larger lists often lead to timeouts.
-
Monitor behavior vs. research queries
- If a query consistently times out when used in the Research Tool, will it still function reliably if activated as a Monitor?
- Since monitors only evaluate new data rather than performing a full historical search, we are wondering whether they are subject to the same limitations.
-
Query syntax and structure
- I believe I understand the standard use of parentheses for logical operators (
AND/OR), but I’m unsure whether syntax structure affects how the Research Tool processes queries internally. - For example, all of the following queries are logically equivalent, yet their behavior can differ (one may time out while another does not):
domain:"company.com" OR group_brand:"Company"
(domain:"company.com") OR (group_brand:"Company")
((domain:"company.com") OR (group_brand:"Company")) - This may simply be related to the broader performance issues described above, but if there are best practices or recommended “query etiquette” to help avoid timeouts, that guidance would be greatly appreciated.
- I believe I understand the standard use of parentheses for logical operators (
Any insight into these behaviors, recommended query patterns, known limitations, or configuration best practices would be extremely helpful. Thank you in advance for any explanations or suggestions you can share.