This document explains how filters can help narrow your search in the case
queue to target only the cases you want to review. Case queue filters help
streamline your workflow by surfacing only the cases you need to act on.
Whether you're triaging high-priority alerts, reviewing cases in a specific
environment, or collaborating with a SOC team, filters offer flexible control
using `AND`, `OR`, `IS`, and `IS_NOT` conditions.
The following filters are available: Timeframe, Alert names, Analysts,
Environments, Priorities, Products, Stages, Tags, and Playbook Status.
Add a filter
Define custom filters to customize your case queue view.
To add a new filter, follow these steps:
Click Cases Filter.
In the Case Queue Filter dialog, fill in the required filter conditions. For
example, to display high-priority cases that are not in the
investigation stage in the past 24 hours:
Set the Time Frame to Last 24 hours.
Set the first condition to
PrioritiesISHigh.
Set the second condition
StagesIS_NOTInvestigation.
Optional: To save the filter for future use, click Save Filter
and enter a name. The filter is saved under
keyboard_arrow_down
Saved Filters in the case queue header for future use.
Click Apply.
Share case queue filters
You can share your case queue filters with other individual users,
specific SOC roles (like Tier 1 analysts), or all users.
Filters shared with you or by you display a Shared icon next
to their name.
To share a filter, your permission group must have the Allow sharing case queue filters permission enabled. This permission is enabled by default for the Admin group. For more information about enabling permissions, see
Edit a permission group.
To share your case queue filters, follow these steps:
Add a new filter by following the steps in
Add a filter.
Click Save Filter.
In the Save filter dialog, enter a name for the filter and then
choose one of the three sharing options:
Private (only me): This is the default setting. The
filter remains private and visible only to you.
Public (all users): The filter is visible to all
users who have access to cases.
Specify users & roles: Select this option to search for
and add specific users or predefined SOC roles.
Click Save.
Manage your saved filters
You can edit, rename, change sharing settings, or delete filters you've created. Changes to shared filters apply to everyone they're shared with.
Edit a filter
To edit a filter you created, follow these steps:
In the case queue header, click
keyboard_arrow_down
Saved Filters.
Hold your pointer over the filter you want to manage and click
edit
Edit.
If the filter is shared, a confirmation dialog appears. Click Yes
to continue to the Edit filter dialog.
Modify the filter criteria or change its sharing configuration.
Click Save.
Temporarily modify a shared filter
To temporarily modify a shared filter, follow these steps:
In the case queue header, click
keyboard_arrow_down
Saved Filters.
Click the shared filter you want to modify.
In the case queue header, click
filter_alt
Cases Filter to modify the filter, and apply changes.
Delete a filter
You can delete any filter you created. If the filter is shared,
it will also be removed from other users' filter lists.
To delete a filter, follow these steps:
Hold your pointer over the filter you want to delete and click
delete
Delete.
In the confirmation dialog, click Yes to delete the filter.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eFilters allow users to refine their case search within the queue by selecting specific criteria.\u003c/p\u003e\n"],["\u003cp\u003eFilters can use AND/OR conditions and Is/Is Not conditions to include or exclude cases based on various attributes.\u003c/p\u003e\n"],["\u003cp\u003eAvailable filter options include Time Frame, Alert Name, Product, Playbook Status, Analysts, Environment, Priorities, Stages, and Tags.\u003c/p\u003e\n"],["\u003cp\u003eUsers can save custom filters for repeated use, accessing them from the Case Queue Header and allowing for easy modification and deletion.\u003c/p\u003e\n"],["\u003cp\u003eThe filter is applied to the case queue after defining the needed conditions, such as setting the time frame to the last 24 hours, priority to high, and excluding the Investigation stage.\u003c/p\u003e\n"]]],[],null,["# Apply and save filters\n======================\n\nSupported in: \nGoogle secops [SOAR](/chronicle/docs/secops/google-secops-soar-toc) \n\nThis document explains how filters can help narrow your search in the case\nqueue to target only the cases you want to review. Case queue filters help\nstreamline your workflow by surfacing only the cases you need to act on.\nWhether you're triaging high-priority alerts, reviewing cases in a specific\nenvironment, or collaborating with a SOC team, filters offer flexible control\nusing \\`AND\\`, \\`OR\\`, \\`IS\\`, and \\`IS_NOT\\` conditions.\n\nThe following filters are available: Timeframe, Alert names, Analysts,\nEnvironments, Priorities, Products, Stages, Tags, and Playbook Status.\n| **Note:** When filtering cases by SOC roles (such as `Tier2`), select **Include users associated with selected roles** to include both direct role assignments and individual users assigned to that role. To do this, select the **Include users associated with selected roles** checkbox. When this option is selected, the system displays all cases assigned directly to the role or to any user within that role. For example, if \"Alex Smith\" is a member of `Tier2`, any case assigned to them will appear when you filter by `Tier2`.\n\nAdd a filter\n------------\n\n\nDefine custom filters to customize your case queue view.\n\n\nTo add a new filter, follow these steps:\n\n1. Click **Cases Filter**.\n2. In the **Case Queue Filter** dialog, fill in the required filter conditions. For example, to display high-priority cases that are *not* in the investigation stage in the past 24 hours:\n - Set the **Time Frame** to `Last 24 hours`.\n - Set the first condition to `Priorities` `IS` `High`.\n - Set the second condition `Stages` `IS_NOT` `Investigation`.\n3. Optional: To save the filter for future use, click **Save Filter** and enter a name. The filter is saved under keyboard_arrow_down **Saved Filters** in the case queue header for future use.\n4. Click **Apply**.\n\nShare case queue filters\n------------------------\n\n\nYou can share your case queue filters with other individual users,\nspecific SOC roles (like Tier 1 analysts), or all users.\n\nFilters shared with you or by you display a **Shared** icon next\nto their name.\nTo share a filter, your permission group must have the **Allow sharing case queue filters** permission enabled. This permission is enabled by default for the **Admin** group. For more information about enabling permissions, see [Edit a permission group](/chronicle/docs/soar/admin-tasks/permissions/working-with-permission-groups#edit-a-permission-group).\n\nTo share your case queue filters, follow these steps:\n\n1. Add a new filter by following the steps in [Add a filter](#add-a-filter).\n2. Click **Save Filter**.\n3. In the **Save filter** dialog, enter a name for the filter and then choose one of the three sharing options:\n - **Private (only me):** This is the default setting. The filter remains private and visible only to you.\n - **Public (all users):** The filter is visible to all users who have access to cases.\n - **Specify users \\& roles:** Select this option to search for and add specific users or predefined SOC roles.\n4. Click **Save**.\n\nManage your saved filters\n-------------------------\n\nYou can edit, rename, change sharing settings, or delete filters you've created. Changes to shared filters apply to everyone they're shared with.\n| **Note:** You can only manage filters you create. You can't edit or delete filters shared with you. Any changes to shared filters are temporary.\n\n### Edit a filter\n\nTo edit a filter you created, follow these steps:\n\n1. In the case queue header, click keyboard_arrow_down **Saved Filters**.\n2. Hold your pointer over the filter you want to manage and click edit **Edit**.\n3. If the filter is shared, a confirmation dialog appears. Click **Yes** to continue to the **Edit filter** dialog.\n4. Modify the filter criteria or change its sharing configuration.\n5. Click **Save**.\n\n### Temporarily modify a shared filter\n\nTo temporarily modify a shared filter, follow these steps:\n\n1. In the case queue header, click keyboard_arrow_down **Saved Filters**.\n2. Click the shared filter you want to modify.\n3. In the case queue header, click filter_alt **Cases Filter** to modify the filter, and apply changes.\n\n| **Note:** These changes are temporary and won't be saved.\n\n### Delete a filter\n\nYou can delete any filter you created. If the filter is shared,\nit will also be removed from other users' filter lists.\n\nTo delete a filter, follow these steps:\n\n1. Hold your pointer over the filter you want to delete and click delete **Delete**.\n2. In the confirmation dialog, click **Yes** to delete the filter.\n\n| **Note:** You can also delete the filter from the **Edit filter** dialog.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]