Apply and save filters

Supported in:

Google secops SOAR

Filters let you narrow your case search in the queue to precisely target the cases you want to analyze.

You can add each filter using either an AND or OR condition.
Each filter can also include an IS or IS_NOT condition.

The following filters are available:

Time Frame
Alert names
Analysts

Note: When filtering cases by a specific SOC role, such as Tier2, you can choose to include all cases assigned directly to the Tier2 role and to user-assigned cases who belong to it. To do this, select the Include users associated with selected roles checkbox. When this option is selected, the system displays all cases assigned to the role directly, as well as cases assigned to any individual user who is a member of that role. For example, if "Alex Smith" is a member of Tier2, any case assigned to them will appear when filtering by Tier2.

Environments
Priorities
Products
Stages
Tags
Playbook Status

Add a filter

Define custom filters to personalize your case queue view.

To add a new filter, follow these steps:

Click Cases Filter.
In the Case Queue Filter dialog, fill in the required fields. For example, to display high-priority cases that are not in the Investigation stage from the past 24 hours:
- Set the Time Frame to Last 24 hours.
- Set the first criteria to Priorities IS High.
- Set the second criteria to Stages IS_NOT Investigation.
Optional: To save the filter for future use, click Save Filter and give it a name. The filter is saved under keyboard_arrow_down Saved Filters in the Case queue header for future use.
Click Apply.

You can share your case queue filters with other individual users, specific SOC roles (like Tier 1 analysts), or all users.

Filters shared with you or by you display a Shared icon next to their name.

The ability to share filters is based on permissions. To share a filter, your permission group must have the Allow sharing case queue filters permission enabled. This permission is enabled by default for the Admin permission group. For more information about enabling permissions, see Edit a Permission Group.

To share your case queue filters, follow these steps:

Add a new filter by following the steps in the Add a filter section.
After entering the required information, click Save Filter.
In the Save filter dialog, enter a name for the filter and then choose one of the three sharing options:
- Private (only me): This is the default setting. The filter remains private and visible only to you.
- Public (all users): The filter becomes visible to all users who have access to cases.
- Specify users & roles: Select this option to search for and add specific users or predefined SOC roles.
Click Save.

Manage your saved filters

You can manage filters you create. This includes the ability to edit their criteria, update share settings, or delete them from the list.

Any changes to a shared filter are applied to all users you've shared the filter with.

To edit a filter you created, follow these steps:

In the case queue header, click keyboard_arrow_down Saved Filters.
Hold your pointer over the filter you want to manage and click edit .
If the filter is shared, a confirmation dialog appears. Click Yes to continue to the Edit filter dialog.
Modify the filter criteria or change its sharing configuration.
Click Save.

To temporarily modify a shared filter, follow these steps:

In the case queue header, click keyboard_arrow_down Saved Filters.
Click the shared filter you want to modify.
In the case queue header, click Cases Filter to modify the criteria as needed.

Delete a filter

You can delete any filter you created. If the filter is shared, it will no longer be available to the users it was shared with.

To remove a filter, follow these steps:

Hold your pointer over the filter you want to delete and select delete .
In the confirmation dialog, click Yes to delete the filter.

Need more help? Get answers from Community members and Google SecOps professionals.