Create pre-process rules to perform actions on incidents as soon as they are ingested.
Pre-Process rules enable you to perform certain actions on incidents as soon as they are ingested into Cortex XSOAR directly from the user interface. Through these rules, you can select incoming events on which to perform actions, for example, link the incoming incident to an existing incident, or under pre-configured conditions, drop the incoming incident altogether.
You can de-duplicate incidents by selecting the Link and Close action in the Pre-Process Rules tab. To create a pre-process rule, see Create Pre-Process Rules for Incidents. After you create a pre-process rule, in the Pre-Process Rules tab, you can do the following:
View, edit, copy, or delete the Pre-Process Rule.
Enable/disable the Pre-Process Rule.
The Link and Close action creates an entry in the Linked Incidents table of the existing incident to which you link, and closes the incoming incident. If an existing incident matching the defining criteria is not found an incident is created for the incoming event.
For troubleshooting, you might need to identify which pre-process rule was triggered. To store pre-process logs in a separate file, go to preprocess.logs.file
with the value true
.