Working with the Search screen
The Search page allows you to find specific cases or entities indexed by Chronicle SOAR. Chronicle SOAR stores all case and entity information from cases, giving you the ability to retrieve information that may be relevant for what you are investigating. The search field will accept free text searching on all data that is indexed by Chronicle SOAR within the last year, which includes cases metadata, alerts, events, ports, case wall, etc. You can search either cases or entities.
Case Search:
When searching cases, you can have free
text as well as field-based searches. Case searches also allow you to narrow
down the time period of the records being searched. This returns the cases
that have information related to your search. The fields that can be searched
are: CaseIds, TicketIds, Ports, AlertName and Entity. Each case can be clicked
giving you the ability to generate a report and review all the information
associate with the case (Alerts, Entities, Insights, Case Wall, etc.) as well
as perform actions on a case. Note that by default simulated Case IDs are not
shown.
Entity Search:
When searching entities, you will see the
Name of the Entity, Risk, Location, Environment and Case Count. Entities can
be involved in more than one case. Each entity can be clicked so you can
review the context details, previous cases and entity log.
Once you have your Search results, you can use the filters on the left hand
side to further refine your Search.
Filters
You can select all the filters (and then deselect individual filters). You can also search within each Filter category.
CASE: Specify any of the following filters and click Apply to view the basic details of the returned cases on the right pane.
- Status – Select the Open and/or Closed options as required. This selection returns cases that are either opened or closed or both, based on your selection.
- Environments (Top 20) – Select the required environments related to the cases.
- Tags (Top 20) – Select the required tags assigned to the cases.
- Assigned Users – Select the required system users to whom the cases are assigned.
- Category Outcomes (Top 20) – Select the required outcomes that are imposed on the cases.
- Ports (Top 20) – Select the required source and destination ports that are involved in the cases.
- Products (Top 20) – Select the integrated products of the cases.
- Case Source – Select the required options that are the source of the cases.
- Case Stage (Top 20) – Select the required case stages that are used for managing cases according to SOC methodology.
- Alert Types (Top 20) – Select the required alert types associated with the cases.
- Priorities – Select the required priorities assigned to the cases.
- Importance – Select True and/or False to display cases are marked or not marked as important respectively.
Entity: Specify any of the following filters and click Apply to view the basic details of the returned entities on the right pane.
- Networks (TOP 20) – Select the required organizational networks of the entities.
- Environments (TOP 20) – Select the required environments related to the entities.
- Type – Select the types of the entities you are searching.
- Is Suspicious – Select True and/or False to display entities marked as suspicious or not.
- Is Internal – Select True and/or False to display entities you are searching from within the organization or if they are external entities.
- Is Enriched – Select True and/or False to display entities you are searching are enriched by the system’s action or not.
Click Clear to reset case or entity filters to default values anytime.
Single or Batch Actions on Cases
The following Actions can be taken on one or more selected Cases:
- Export to CSV – Exports the selected case results to your local system in .CSV file format.
- Export All – Exports all the cases to your local system in .CSV file format. The system can export up to 1000 cases.
- Close case – Closes the selected cases that are open.
- Reopen case – Reopens the selected cases that were closed.
- Change priority – Enables you to change the priority of the selected cases that are open.
- Assign case – Enables you to assign the selected open cases to a different user.
- Add tag – Enables you to add tags to the selected open cases.
- Change status – Can change status of selected cases.
- Merge cases– Merges two or more of the selected cases into a parent case.