Automatically populate the investigation canvas to view related incidents in Cortex XSOAR.
Cortex XSOAR can automatically populate the Canvas with related entities using machine learning. If your canvas is already populated, auto populating it deletes all of the existing content.
Go to the Canvas tab of the incident you are investigating and click Auto populate.
If you want to customize the canvas, click Customize and select the following:
If, and how many, related incidents appear.
The maximum distance over which items are included in the canvas in the Similarity Max Distance field.
By default the distance is set to 0.8. The closer the score is to 1, the less related they are to the incident.
Linked incidents
Bad and suspicious common indicators
Configure the threshold above which an indicator is ignored in the Indicators Ignore Threshold.
Click Auto populate.
The closer an entity appears to the center, the more closely related it is to the investigated incident.