Customize searches with nested queries

Security investigation tool
Supported editions for this feature: Frontline Standard; Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus; Cloud Identity Premium. Compare your edition

When customizing your search in the investigation tool, you can include one or more conditions in your search. If you're customizing a search that has at least 2 conditions, you also have the option to create nested queries—in other words, searches that include 2 or 3 levels of conditions.

Using nested queries enables you to narrow your search by specifying queries that are much more granular and that are targeted to specific types of events. Do this by clicking  Add condition group while customizing your search.

For example, you might want to run a search about inbound emails in your organization to investigate users who are receiving attachments. Additionally, you might want to narrow your search by including only users who are opening those attachments or clicking links within the emails. When customizing your search, you would base the search on the Gmail log events data source, and you would set up the following conditions for your search:

  • The email must have an attachment.
  • AND the user must either open the attachment OR click a link in the email.

Note: Most data sources enable 3-level nested queries. The Users data source enables only 2-level nested queries, while the Chrome browsers data source doesn't enable nested queries.

Was this helpful?

How can we improve it?
true
Start your free 14-day trial today

Professional email, online storage, shared calendars, video meetings and more. Start your free Google Workspace trial today.

Search
Clear search
Close search
Google apps
Main menu