Different ways to use the SOAR Search screen
In the Search bar, you can search using a keyphrase. You can access these phrases by clicking in the Search bar space. For example:
AlertName:SUSPICIOUS PHISHING EMAIL
You can also search according to a specific
time frame.
Let's look at some specific examples of searching by Cases:
-
Query by caseids:180,181 to
return specific case data.
You can click on each ID to reach the Case Details screen. -
Query by Ports:663,770 will
return all the alerts that have these ports involved.
-
Query by Entity:10.210.1.13 will
return all the cases with IP address 10.210.1.13 as an entity.
-
Query by
AlertName:IRC Connections will
return all the cases with matching alert name.
Let's look at some specific examples of searching by Entities:
-
Search by Entities allows us free-text search. For example, a free-text
search for "Chronicle" returns all the entities that have the
word Chronicle in them.
The result contains the following information about the entity: Risk, Location, Environment, and Case count. Clicking on the individual entity takes us to the Entity Details page where we can see more information.
You can also use the Filters that appear on the left pane of the Search page to further refine your Search results.