Incident De-Duplication - Administrator Guide - 6.9 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.9
Creation date
2022-09-29
Last date published
2024-04-08
End_of_Life
EoL
Category
Administrator Guide
Abstract

De-duplicate incidents either manually or automatically in Cortex XSOAR. Mark as duplicate using pre-process rules or playbooks.

In the lifecycle of incident management, there are cases when incidents are duplicated. Cortex XSOAR provides the following de-duplication capabilities:

  • Manual De-Duplication: You can manually de-duplicate incidents from the Incidents page or the Related Incidents page. To de-duplicate incidents manually, see Manually De-Duplicate Incidents.

  • Automatic De-Duplication: You can automate de-duplicate incidents by using Pre-Process Rules and Scripts.

  • Automations: You can create an automation that creates child incidents from duplicates.

  • Playbooks: Identify, review or close duplicate incidents using playbooks.

    There are several out-of-the-box playbooks you can run to identify and close duplicate incidents. Alternatively, you can use these playbooks as the basis for customized de-duplication playbooks. For example, instead of automatically closing the duplicate incidents, include a manual review of the duplicate incidents.

    Playbook

    Description

    Dedup - Generic v4

    Identifies duplicate incidents using the machine learning model (used mainly for phishing).

    DeDup - Generic v3

    Identifies duplicate incidents using one of the supported methods, such as rules, text, and machine learning.