When customizing your search in the investigation tool, you can include one or more conditions in your search. If you're customizing a search that has at least 2 conditions, you also have the option to create nested queries—in other words, searches that include 2 or 3 levels of conditions.
Using nested queries enables you to narrow your search by specifying queries that are much more granular and that are targeted to specific types of events. Do this by clicking Add condition group while customizing your search.
For example, you might want to run a search about inbound emails in your organization to investigate users who are receiving attachments. Additionally, you might want to narrow your search by including only users who are opening those attachments or clicking links within the emails. When customizing your search, you would base the search on the Gmail log events data source, and you would set up the following conditions for your search:
- The email must have an attachment.
- AND the user must either open the attachment OR click a link in the email.
Note: Most data sources enable 3-level nested queries. The Users data source enables only 2-level nested queries, while the Chrome browsers data source doesn't enable nested queries.