We use Splunk SOAR to automate tasks for our Security Operations team.  One of the integrations I'm working on is having SOAR run a query in ServiceNow via it's REST API endpoints to retrieve information about tickets. 

I'm currently running a sysparm_query API call using IR_AND_OR_QUERY along with a space-separated list of keywords:

https://instance.servicenow.com/api/now/table/incident?sysparm_query=IR_AND_OR_QUERY=10.1.2.3 eviluser^number!=T12345

This works well for individual keywords (10.1.2.3 and eviluser, in the example above).  The IR_AND_OR_QUERY operator searches through the entire ticket and not just a specific column, and it will return tickets that have both keywords as well as tickets containing only one of the keywords.

Sometimes, though, I need to include a phrase instead of a single word.  For example, if I need to check for tickets related to a specifc user and/or their device, I'd need to search for Michael Oswald and XV11230543.  I've tried putting quotes (both single and double) around Michael Oswald but it still looks at them as invidiual words and returns a list of any tickets containing Michael:

sysparm_query=IR_AND_OR_QUERY="Michael Oswald" XV11230543

I've also tried combining the LIKE operator in various ways, but that doesn't work either

sysparm_query=IR_AND_OR_QUERY=LIKEMichael Oswald

I can sort of do it by dropping IR_AND_OR_QUERY and combining LIKE and ^OR, but then I'm limited to specific fields (afaik):

sysparm_query=short_descriptionLIKEMichael Oswald^ORshort_descriptionLIKEXV11230543

but I lose some of the functionality.  I like that IR_AND_OR_QUERY looks through the entire ticket, and that it will first return tickets that have all of my keywords/phrases but can also return tickets with each keyword/phrase individually if it can't find the combo.

Is there a way I can do an IR_AND_OR_QUERY call on a set of keywords and phrases?