How to use Cloud SOAR's search query bar to optimize workflow processes

At Sumo Logic, we always pride ourselves on our dedication to make Cloud SOAR as user-friendly as possible. Now, we’re going to show you in practice how we make that happen.

Cloud SOAR’s Incident Search Query Bar is easily configurable and allows users to customize their viewing perspective and choose which data they want to see. In the remainder of this blog, we will guide you through the process of using Cloud SOAR’s Search Query Bar swiftly and with ease through a visual and written presentation.

Let’s begin.

Using Cloud SOAR’s Search Query Bar

First and foremost, the incident section includes all incidents generated by Cloud SOAR, and clicking on any of the incident IDs will open the incident. Then, users can configure which incidents are displayed by creating queries against available incident data and saving them as incident filters.

Another way to manipulate what data is displayed from the incident section is by adjusting which columns are viewable. Users can adjust the columns by clicking on the cogwheel on the top-right side of the screen.

This will display a configuration screen that allows users to choose which data is displayed on the screen and where it is displayed by clicking the “+” sign next to the selection and then dragging and dropping the selection. Once the columns are added and organized, click “Apply” to continue.

Furthermore, the search bar in the incident section has extensive capabilities to filter the incidents. From the Incident section, users can:

• Search

• Build

• And issue queries against existing incidents

They can do that by simply typing in the search bar at the top of the screen.

Cloud SOAR also provides its users with a command cheat sheet to help build incident filtering queries. To access the cheat sheet, simply click on the info icon to display the query options.

Let’s say you want to review all incidents of a particular category with a certain status. By using a combination of logical words, we can perform simple and complex queries to see related data.

This allows us to perform filtering regarding all the entities that users would consider relevant throughout the investigation.

Often, we want to view incidents we are involved in. Searching for the keyword that involves “true,” or the keyword that involves “false” for the opposite scenario, we get a list of the incidents in which we are involved or the group we are a member of.

During the building of the search queries, there are three different ways of using them:

• Search in a row

• Exact match

• Partial match

Difference between searching in a row, a certain value in a column (attribute), and an exact match

If users want to view incidents that contain a certain word anywhere in the row of the data of the incident, they can just type the word in the search bar.

In the example below, the searched word is “phishing,” and regardless of whether the category differs from the searched one, it matches the word phishing in the short description attribute, and therefore shows the related incidents.

If a user searches for the word phishing in the category column, the search should be performed with the use of the “:” sign.

Notice how only incidents that contain the word phishing in the Category column are displayed.

The last option is using an exact match which is performed with the “=” operator.

Notice how the exact match (use of the = operator) is case sensitive.

Date and time in search queries

If you, for example, want the query to show a specific period, you can just enter the “AND” operator.

Then, once again, use the field “Opening Time” to be equal to or less than a certain date. For instance, the 10th of September 2020, in the same principle as the first time. This will give you the following results.

Additional info on using the queries

For additional information regarding the operators and how the queries can be composed, refer to the operators' Helper section.

By selecting “Show more…” you can see additional information on how to write the queries.

Making Cloud SOAR user-friendly a top priority for Sumo Logic

Our goal is to make Cloud SOAR as user friendly as possible. And as we continue to mold the shape of the next-gen Cloud SOAR, we prioritize user-friendliness as one of our most important objectives.

We always strive to enhance Cloud SOAR and align it with your current needs. This is why we listen to your feedback and will offer an even more user-friendly solution in our latest Cloud SOAR 5.3. version that is packed with a myriad of innovative features and improvements with just one goal - make life easier for you.