Pre-process rules enable you to perform certain actions on events as soon as they are ingested into Cortex XSOAR. We can use pre-process rules to drop incidents, close duplicate incidents, link incidents together, run a script, etc. In this example, our organization has been running a phishing awareness campaign to check if internal users properly report phishing emails. We don't want to investigate these incidents, as we know they are not truly malicious emails.
Select
→ → → .From Cortex XSOAR v6.11 and later, go to → → → → .
In the Rule Name field, type,
Phishing Awareness Campaign
.In the Conditions for Incoming incident section, add the following filter:
In the Action field, select Drop.
Click Save.
All future incidents that include this subject are dropped. If the awareness campaign concludes or a new email subject is used, you may want to remove or edit this pre-process rule.