Download events

You can display and download large numbers of the events associated with each threat detection. This lets you to search across a broad set of the data stored in your Chronicle account to hunt for security issues.

Display and download events

Complete the following steps to display and download the events associated with a detection:

In the navigation bar, click Detection > Rules & Detections.
Click the Rules Dashboard tab.

Rules Dashboard
Click a rule to open the Rule Detections view.

Note: The Download as CSV option is only available for multi-event rules. It is not supported for detections from Test Rules.
Select a Detection from the Detections list and expand the sample events list by clicking the arrow to the left. There is a limit of up to 10 event samples for each event variable defined in the rule. Event samples past this limit will be omitted. The Download as CSV option appears if event samples were omitted from your detection. A maximum of 100,000 events can be downloaded. The event samples are sorted by event timestamp in the UI. Google does not guarantee any sorting of event samples when reading detections from Chronicle APIs.

Detection with sample events expanded and the Download all option.
(Optional) You can click the Columns icon and add other columns of information to the sample events lists. This information will be included in the downloaded CSV file.

Columns options
Click the Download as CSV link. The event samples are downloaded as a CSV file which you can then open in most spreadsheet applications.

Note: Your security data is continuously ingested into your Chronicle account. When you click Download all, the CSV file is dynamically generated and includes the latest event samples. It might differ from the data displayed in the user interface.