Work with the SOAR Search page

Supported in:

The SOAR Search function lets you locate specific cases or entities cataloged by Google Security Operations. Google SecOps maintains detailed records of all cases and entities, enabling quick access to relevant investigation data. The search input accepts field-based searches and free-form text queries across all data indexed by Google SecOps within the past year, including case metadata, alerts, events, ports, and the case timeline. You can search for either cases or entities.

By default, the menu next to the main search bar is set to search for cases. Each case in the search results includes detailed information, such as associated alerts, entities, insights, and case wall data.

To search cases, follow these steps:

  1. Go to Investigation > SOAR Search.
  2. Enter search criteria:
    • Free-text search: enter keywords or phrases related to the case in the main search bar.
    • Field-based search: use the available field filters to refine your search by specific criteria such as:
      • CaseIds
      • TicketIds
      • Ports
      • AlertName
  3. Select the appropriate timeframe from the menu beside the main search bar to increase your search result.

Click a case to view more details, generate a report, or perform actions.

Each entity in the search results includes details such as the entity type, risk level, location, environment, and case count. Entities can be involved in more than one case.

To search entities, follow these steps:

  1. Go to Investigation > SOAR Search.
  2. Select Entities from the menu next to the main search bar.
  3. Enter search criteria:
    • Free-text search: enter keywords or phrases related to the entity in the main search bar.
    • Field-based search: use the available field filters to refine your search by specific criteria such as:
      • Contains
      • Equals

Click an entity to view the context details, previous cases, and entity log.

Filters search results

You can refine your search results using filters. Filters allow you to select multiple options or search within specific categories.

To use filters, Click Apply to update your results or Clear to reset the filters to their default values.

Case filters

If searching for cases, you can filter results based on the following criteria:

  • Status: select the Open and Closed options as required. This selection returns cases that are either opened, closed, or both, based on your selection.
  • Environments: select the required environments related to the cases.
  • Tags: select the required tags assigned to the cases.
  • Assigned Users: select the required system users to whom the cases are assigned.
  • Category Outcomes: select the required outcomes that are imposed on the cases.
  • Ports: select the required source and destination ports that are involved in the cases.
  • Products: select the integrated products of the cases.
  • Case Source: select the required options that are the source of the cases.
  • Case Stage: select the required case stages that are used for managing cases according to SOC methodology.
  • Alert Types: select the required alert types associated with the cases.
  • Priorities: select the required priorities assigned to the cases.
  • Importance: select True or False to display whether cases are marked as important.
  • Is Incident: Select True or False to display whether cases are flagged as incidents.

Entity filters

If searching for entities, you can filter results based on the following criteria:

  • Networks: select the required organizational networks of the entities.
  • Environments: select the required environments related to the entities.
  • Type: select the types of the entities you are searching.
  • Is Suspicious: select True or False to display entities marked as suspicious or not.
  • Is Internal: select True or False to display entities you are searching from within the organization or if they are external entities.
  • Is Enriched: select True or False to display whether the entities have been enriched by system actions.

Performing actions on cases

To perform single or batch actions on one or more selected cases, follow these steps:

  1. In the search results, select the checkbox or checkboxes of the case(s) to perform actions on.
  2. Click lists Menu and select one of the following options:
    • Export to CSV: exports the selected case results to your local system in .CSV file format.
    • Close case: closes the selected cases that are open.
    • Reopen case: reopens the selected cases that were closed.
    • Change priority: changes the priority of the selected cases that are open.
    • Assign case: assigns the selected open cases to a different user.
    • Add tag: adds tags to the selected open cases.
    • Merge cases: merges two or more of the selected cases into a parent case.
    • Change stage: changes the stage of selected cases.


Need more help? Get answers from Community members and Google SecOps professionals.