Working with the Search page in SOAR

The Search page lets you find specific cases or entities indexed by Google Security Operations SOAR. Google Security Operations SOAR stores all case and entity information from cases, giving you the ability to retrieve information that may be relevant for what you are investigating. The search field accepts free text searching on all data that is indexed by Google Security Operations SOAR within the last year, such as cases metadata, alerts, events, ports, and case wall. You can search either cases or entities.

Case Search:
When searching cases, you can have free text as well as field-based searches. Case searches also allow you to narrow down the time period of the records being searched. This returns the cases that have information related to your search. The fields that can be searched are: CaseIds, TicketIds, Ports, AlertName, and Entity. Each case can be clicked giving you the ability to generate a report and review all the information associated with the case (such as alerts, entities, insights, and case wall), as well as perform actions on a case. Simulated case IDs are not shown by default.

Entity Search:
When searching entities, you see the name of the entity, risk, location, environment, and case count. Entities can be involved in more than one case. Each entity can be clicked so you can review the context details, previous cases and entity log.

Once you have your search results, you can use the filters on the left hand side to further refine your search.

Filters

You can select all the filters (and then deselect individual filters). You can also search within each filter category.

Cases: specify any of the following filters and click Apply to view the basic details of the returned cases on the right pane.

  • Status: select the Open and Closed options as required. This selection returns cases that are either opened or closed or both, based on your selection.
  • Environments (Top 20): select the required environments related to the cases.
  • Tags (Top 20): select the required tags assigned to the cases.
  • Assigned Users: select the required system users to whom the cases are assigned.
  • Category Outcomes (Top 20): select the required outcomes that are imposed on the cases.
  • Ports (Top 20): select the required source and destination ports that are involved in the cases.
  • Products (Top 20): select the integrated products of the cases.
  • Case Source: select the required options that are the source of the cases.
  • Case Stage (Top 20): select the required case stages that are used for managing cases according to SOC methodology.
  • Alert Types (Top 20): select the required alert types associated with the cases.
  • Priorities: select the required priorities assigned to the cases.
  • Importance: select True or False to display cases are marked or not marked as important respectively.

Entities: specify any of the following filters and click Apply to view the basic details of the returned entities on the right pane.

  • Networks (TOP 20): select the required organizational networks of the entities.
  • Environments (TOP 20): select the required environments related to the entities.
  • Type: select the types of the entities you are searching.
  • Is Suspicious: select True or False to display entities marked as suspicious or not.
  • Is Internal: select True or False to display entities you are searching from within the organization or if they are external entities.
  • Is Enriched: select True or False to display entities you are searching are enriched by the system's action or not.

Single or batch actions on cases

The following actions can be taken on one or more selected cases:

  • Export to CSV: exports the selected case results to your local system in .CSV file format.
  • Export All: exports all the cases to your local system in .CSV file format. The system can export up to 1000 cases.
  • Close case: closes the selected cases that are open.
  • Reopen case: reopens the selected cases that were closed.
  • Change priority: changes the priority of the selected cases that are open.
  • Assign case: assigns the selected open cases to a different user.
  • Add tag: adds tags to the selected open cases.
  • Change status: changes the status of selected cases.
  • Merge cases: merges two or more of the selected cases into a parent case.