Skip to main content

Tuesday's Tip of the Week - First UDM Searches

  • July 14, 2026
  • 0 replies
  • 9 views

dnehoda
Staff
Forum|alt.badge.img+18

July 14, 2026

 

UDM Search Syntax

 

UDM Search is the ad-hoc query interface in Google SecOps. Specify field-value pairs joined with AND, OR, and NOT.

Key rules:

  • Fields use dot notation: metadata.event_type, principal.ip, target.user.userid
  • String values go in double quotes: metadata.event_type = "USER_LOGIN"
  • Combine with AND / OR, negate with NOT
  • Regex uses forward slashes: target.process.file.full_path = /mimikatz/
  • No $ variables, no match:, no outcome:, no condition: blocks. Those belong to YARA-L detection rules.

Example 1: Find All Failed Logins

metadata.event_type = "USER_LOGIN" AND security_result.action = "BLOCK"

This returns failed logins from all ingested sources. Add AND target.user.userid = "jsmith" to scope to a single user.

 

Example 2: Find Network Connections to Specific CIDRs’

metadata.event_type = "NETWORK_CONNECTION" AND network.direction = "OUTBOUND"

To check connections against a CIDR range, use the net.ip_in_range_cidr() function:

metadata.event_type = "NETWORK_CONNECTION" AND net.ip_in_range_cidr(target.ip, "198.51.100.0/24")

 

Example 3: Find Process Launches of Specific Binaries

Hunting for credential-dumping tools or recon utilities:

metadata.event_type = "PROCESS_LAUNCH" AND target.process.file.full_path = /mimikatz/

The regex catches any path containing "mimikatz." For a more targeted search:

metadata.event_type = "PROCESS_LAUNCH" AND target.process.file.full_path = /powershell\.exe/ AND target.process.command_line = /Invoke-WebRequest/

 

UDM Search vs. YARA-L

UDM Search is for ad-hoc hunting: run a query, review results, iterate. YARA-L is for persistent detection rules that evaluate continuously and fire alerts. Both use the same UDM fields.