July 14, 2026
UDM Search Syntax
UDM Search is the ad-hoc query interface in Google SecOps. Specify field-value pairs joined with AND, OR, and NOT.
Key rules:
- Fields use dot notation: metadata.event_type, principal.ip, target.user.userid
- String values go in double quotes: metadata.event_type = "USER_LOGIN"
- Combine with AND / OR, negate with NOT
- Regex uses forward slashes: target.process.file.full_path = /mimikatz/
- No $ variables, no match:, no outcome:, no condition: blocks. Those belong to YARA-L detection rules.
Example 1: Find All Failed Logins
metadata.event_type = "USER_LOGIN" AND security_result.action = "BLOCK"
This returns failed logins from all ingested sources. Add AND target.user.userid = "jsmith" to scope to a single user.
Example 2: Find Network Connections to Specific CIDRs’
metadata.event_type = "NETWORK_CONNECTION" AND network.direction = "OUTBOUND"
To check connections against a CIDR range, use the net.ip_in_range_cidr() function:
metadata.event_type = "NETWORK_CONNECTION" AND net.ip_in_range_cidr(target.ip, "198.51.100.0/24")
Example 3: Find Process Launches of Specific Binaries
Hunting for credential-dumping tools or recon utilities:
metadata.event_type = "PROCESS_LAUNCH" AND target.process.file.full_path = /mimikatz/
The regex catches any path containing "mimikatz." For a more targeted search:
metadata.event_type = "PROCESS_LAUNCH" AND target.process.file.full_path = /powershell\.exe/ AND target.process.command_line = /Invoke-WebRequest/
UDM Search vs. YARA-L
UDM Search is for ad-hoc hunting: run a query, review results, iterate. YARA-L is for persistent detection rules that evaluate continuously and fire alerts. Both use the same UDM fields.
