The SOAR Search function helps you quickly locate specific cases or entities features
in Google Security Operations. Google SecOps maintains detailed
records of all cases and entities across your environment, enabling quick access to relevant
investigation data.
It supports both free-text and field-based searches across all data indexed
within the past year, including case metadata, alerts, events, ports, and case
timelines. You can search for either cases or entities.
Explore the SOAR Search options
You can search for either cases or entities from the SOAR Search
interface, using filters to refine results and take action on individual or multiple cases.
Search cases
By default, the menu next to the main search bar is set to search
for cases. Each result includes details, such as associated alerts, entities,
insights, and case wall activity.
To search cases, follow these steps:
Go to Investigation > SOAR Search.
Enter your search criteria:
Free-text search: In the main search bar, enter keywords or phrases
related to the case.
Field-based search: Use the available field filters to refine your
search by specific criteria, such as:
CaseIds
TicketIds
Ports
AlertName
Select the appropriate timeframe using the date picker next to the search bar.
Click a case to view more details, generate reports, or perform actions.
Examples of case searches
Query by caseids:180,181 to
return specific case data.
Click an ID to reach the Case Details screen.
Query by Ports:663,770:
to return all alerts that include these ports.
Query by Entity:10.210.1.13
to return all cases that have this IP address 10.210.1.13 as an entity.
Query by
AlertName:IRC Connections
to return all cases with a matching alert name.
Search entities
Each entity in the search results includes the entity type, risk level,
location, environment, and case count. An entity may be associated with
multiple cases.
To search entities, follow these steps:
Go to Investigation > SOAR Search.
In the menu next to the search bar, select Entities.
Enter your search criteria:
Free-text search: in the main search bar, enter keywords or phrases related to the entity.
Field-based search: use the available field filters to refine your
search by specific criteria, such as Contains or Equals
Click an entity in the results to view context, related cases, and the entity log.
Examples of searching by entities
When you search by Entities, you can use free-text search. For example, a free-text
search for Chronicle returns all entities containing that word. The search results show key details about each entity, including: Risk,
Location, Environment, and case count.
Click the individual entity
to go to the Entity Details page for more information.
Use filters to refine search results
Filters let you narrow your search results by selecting specific attributes.
To use filters, Click Apply to update your results or Clear
to reset the filters to their default values.
Search for cases filters
When searching for cases, you can filter by:
Status: Select the Open and Closed options as
required. This selection returns open, closed, or
both types of cases.
Environment: Filters by specific environments.
Tags: Filters by tags assigned to cases.
Assigned Users: Select the required system users to whom
the cases are assigned.
Category Outcomes: Filters by the outcomes assigned to cases.
Ports: Filters by source and destination ports involved in cases.
Products: Filters by the integrated products.
Case Source: Filters by the source of the cases.
Case Stage: Filters by case stages according to SOC methodology.
Alert Types: Filters by alert types associated
with the cases.
Priorities: Filters by required priorities assigned to the
cases.
Importance: Filters to show cases marked as important (True) or not (False).
Is Incident: Filters to show cases marked as incidents (True) or not (False).
Search for entities filters
If searching for entities, you can filter results based on the following
criteria:
Networks: Filters by the required organizational networks of
the entities.
Environments: Filters by the required environments related to
the entities.
Type: Filters by the type of entity.
Is Suspicious: Filters to show cases flagged as suspicious (True) or not (False).
Is Internal: Filters to show internal or external entities (True) or not (False).
Is Enriched: Filters to show entities enriched by system (True) or not (False).
Perform actions on cases
You can perform single or bulk actions on selected cases directly from the
search results.
In the search results, select the checkbox next to one or more cases.
Click
lists
Menu and choose an action:
Export to CSV: downloads selected case data as a .CSV file.
Close case: closes selected open cases.
Reopen case: reopens selected closed cases.
Change priority: modifies the priority of selected open cases.
Assign case: reassigns selected open cases to another user.
Add tag: adds tags to selected open cases.
Merge cases: merges selected cases into a parent case.
Change stage: updates the current stage of selected cases.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThe Search page in Google Security Operations SOAR allows users to find specific cases or entities indexed within the past year, using free text or field-based searches across various data points.\u003c/p\u003e\n"],["\u003cp\u003eCase searches enable filtering by criteria such as CaseIds, TicketIds, Ports, AlertName, and Entity, with the ability to narrow the time frame and access detailed case information.\u003c/p\u003e\n"],["\u003cp\u003eEntity searches provide details like the entity's name, risk, location, environment, and associated case count, with options to view context details, previous cases, and entity logs.\u003c/p\u003e\n"],["\u003cp\u003eFilters on the left-hand side can be used to further refine both case and entity search results, including options for status, environments, tags, users, and other relevant parameters.\u003c/p\u003e\n"],["\u003cp\u003eUsers can perform single or batch actions on cases, including exporting data, closing or reopening cases, changing priority or status, assigning cases to users, adding tags, or merging cases.\u003c/p\u003e\n"]]],[],null,["Use SOAR Search \nSupported in: \nGoogle secops [SOAR](/chronicle/docs/secops/google-secops-soar-toc) \n\nThe **SOAR Search** function helps you quickly locate specific cases or entities features\nin Google Security Operations. Google SecOps maintains detailed\nrecords of all cases and entities across your environment, enabling quick access to relevant\ninvestigation data.\n\nIt supports both free-text and field-based searches across all data indexed\nwithin the past year, including case metadata, alerts, events, ports, and case\ntimelines. You can search for either cases or entities.\n\n\nExplore the SOAR Search options\n\nYou can search for either cases or entities from the **SOAR Search**\ninterface, using filters to refine results and take action on individual or multiple cases.\n\nSearch cases\n\n\nBy default, the menu next to the main search bar is set to search\nfor cases. Each result includes details, such as associated alerts, entities,\ninsights, and case wall activity.\n\nTo search cases, follow these steps:\n\n1. Go to **Investigation \\\u003e SOAR Search**.\n2. Enter your search criteria:\n - **Free-text search**: In the main search bar, enter keywords or phrases related to the case.\n - **Field-based search** : Use the available field filters to refine your search by specific criteria, such as:\n - **CaseIds**\n - **TicketIds**\n - **Ports**\n - **AlertName**\n3. Select the appropriate timeframe using the date picker next to the search bar.\n4. Click a case to view more details, generate reports, or perform actions.\n\n| **Note:** Simulated case IDs aren't displayed by default.\n\nExamples of case searches\n\n- Query by **caseids:180,181** to return specific case data. Click an ID to reach the **Case Details** screen.\n- Query by **Ports:663,770** : to return all alerts that include these ports. \n- Query by **Entity:10.210.1.13** to return all cases that have this IP address `10.210.1.13` as an entity. \n- Query by **AlertName:IRC Connections** to return all cases with a matching alert name. \n\nSearch entities\n\n\nEach entity in the search results includes the entity type, risk level,\nlocation, environment, and case count. An entity may be associated with\nmultiple cases.\n\nTo search entities, follow these steps:\n\n1. Go to **Investigation \\\u003e SOAR Search**.\n2. In the menu next to the search bar, select **Entities**.\n3. Enter your search criteria:\n - **Free-text search**: in the main search bar, enter keywords or phrases related to the entity.\n - **Field-based search** : use the available field filters to refine your search by specific criteria, such as **Contains** or **Equals**\n4. Click an entity in the results to view context, related cases, and the entity log.\n\nExamples of searching by entities\n\n- When you search by **Entities** , you can use free-text search. For example, a free-text search for **Chronicle** returns all entities containing that word. The search results show key details about each entity, including: Risk, Location, Environment, and case count.\n- Click the individual entity to go to the **Entity Details** page for more information.\n\nUse filters to refine search results\n\n\nFilters let you narrow your search results by selecting specific attributes.\n\n\nTo use filters, Click **Apply** to update your results or **Clear**\nto reset the filters to their default values.\n\nSearch for cases filters\n\nWhen searching for cases, you can filter by:\n\n- **Status** : Select the **Open** and **Closed** options as required. This selection returns open, closed, or both types of cases.\n- **Environment**: Filters by specific environments.\n- **Tags**: Filters by tags assigned to cases.\n- **Assigned Users**: Select the required system users to whom the cases are assigned.\n- **Category Outcomes**: Filters by the outcomes assigned to cases.\n- **Ports**: Filters by source and destination ports involved in cases.\n- **Products**: Filters by the integrated products.\n- **Case Source**: Filters by the source of the cases.\n- **Case Stage**: Filters by case stages according to SOC methodology.\n- **Alert Types**: Filters by alert types associated with the cases.\n- **Priorities**: Filters by required priorities assigned to the cases.\n- **Importance** : Filters to show cases marked as important (`True`) or not (`False`).\n- **Is Incident** : Filters to show cases marked as incidents (`True`) or not (`False`).\n\nSearch for entities filters\n\n\nIf searching for entities, you can filter results based on the following\ncriteria:\n\n- **Networks**: Filters by the required organizational networks of the entities.\n- **Environments**: Filters by the required environments related to the entities.\n- **Type**: Filters by the type of entity.\n- **Is Suspicious** : Filters to show cases flagged as suspicious (`True`) or not (`False`).\n- **Is Internal** : Filters to show internal or external entities (`True`) or not (`False`).\n- **Is Enriched** : Filters to show entities enriched by system (`True`) or not (`False`).\n\nPerform actions on cases\n\nYou can perform single or bulk actions on selected cases directly from the\nsearch results.\n\n1. In the search results, select the checkbox next to one or more cases.\n2. Click lists **Menu** and choose an action:\n - **Export to CSV**: downloads selected case data as a .CSV file.\n - **Close case**: closes selected open cases.\n - **Reopen case**: reopens selected closed cases.\n - **Change priority**: modifies the priority of selected open cases.\n - **Assign case**: reassigns selected open cases to another user.\n - **Add tag**: adds tags to selected open cases.\n - **Merge cases**: merges selected cases into a parent case.\n - **Change stage**: updates the current stage of selected cases.\n\n\u003cbr /\u003e\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
