De-duplicate incidents either manually or automatically in Cortex XSOAR. Mark as duplicate using pre-process rules or playbooks.
In the lifecycle of incident management, there are cases when incidents are duplicated. Cortex XSOAR provides the following de-duplication capabilities:
Manual De-Duplication: You can manually de-duplicate incidents from the Incidents page or the Related Incidents page. To de-duplicate incidents manually, see Manually De-Duplicate Incidents.
Automatic De-Duplication: You can automate de-duplicate incidents by using Pre-Process Rules and Scripts.
Automations: You can create an automation that creates child incidents from duplicates.
Playbooks: Identify, review or close duplicate incidents using playbooks.
Pre-Process Rules
Pre-Process rules enable you to perform certain actions on incidents as soon as they are ingested into Cortex XSOAR directly from the user interface. Through these rules, you can select incoming events on which to perform actions, for example, link the incoming incident to an existing incident, or under pre-configured conditions, drop the incoming incident altogether.
You can de-duplicate incidents by selecting the Link and Close action in the Pre-Process Rules tab. To create a pre-process rule, see Create Pre-Process Rules for Incidents. After you create a pre-process rule, in the Pre-Process Rules tab, you can do the following:
View, edit, copy, or delete the Pre-Process Rule.
Enable/disable the Pre-Process Rule.
The Link and Close action creates an entry in the Linked Incidents table of the existing incident to which you link, and closes the incoming incident. If an existing incident matching the defining criteria is not found an incident is created for the incoming event.
For troubleshooting, you might need to identify which pre-process rule was triggered. To store pre-process logs in a separate file, go to preprocess.logs.file
with the value true
.
Playbooks
There are several out-of-the-box playbooks you can run to identify and close duplicate incidents. Alternatively, you can use these playbooks as the basis for customized de-duplication playbooks. For example, instead of automatically closing the duplicate incidents, include a manual review of the duplicate incidents.
Playbook | Description |
---|---|
Identifies duplicate incidents using the machine learning model (used mainly for phishing). | |
Identifies duplicate incidents using one of the supported methods, such as rules, text, and machine learning. |