De-duplicate incidents either manually or automatically in Cortex XSOAR. Mark as duplicate using pre-process rules or playbooks.
In the lifecycle of incident management, there are cases when incidents are duplicated. Cortex XSOAR provides the following de-duplication capabilities:
Manual De-Duplication: You can manually de-duplicate incidents from the Incidents page or the Related Incidents page. To de-duplicate incidents manually, see Manually De-Duplicate Incidents.
Automatic De-Duplication: You can automate de-duplicate incidents by using Pre-Process Rules and Scripts.
Automations: You can create an automation that creates child incidents from duplicates.
Playbooks: Identify, review or close duplicate incidents using playbooks.
There are several out-of-the-box playbooks you can run to identify and close duplicate incidents. Alternatively, you can use these playbooks as the basis for customized de-duplication playbooks. For example, instead of automatically closing the duplicate incidents, include a manual review of the duplicate incidents.
Playbook
Description
Identifies duplicate incidents using the machine learning model (used mainly for phishing).
Identifies duplicate incidents using one of the supported methods, such as rules, text, and machine learning.