Incident deduplication in Cortex XSOAR - Administrator Guide - 8.5 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR On-prem Documentation

Product
Cortex XSOAR
Version
8.5
Creation date
2024-03-10
Last date published
2024-12-12
Category
Administrator Guide
Solution
On-prem
Abstract

Deduplicate incidents either manually or automatically in Cortex XSOAR. Mark as duplicate using pre-process rules or playbooks.

When ingesting incidents, you may ingest several incidents that are duplicated. Cortex XSOAR provides the following deduplication capabilities:

  • Manual deduplication

    During an investigation, on the Incidents page, an analyst can manually deduplicate incidents. For more information, see Incident management.

  • Automatic deduplication

    Option

    Description

    Pre-process rules

    Set up pre-process rules to deduplicate incidents as soon as they are ingested into Cortex XSOAR.

    Playbooks

    There are several out-of-the-box playbooks you can run to identify and close duplicate incidents. Alternatively, you can use these playbooks as the basis for customized de-duplication playbooks. For example, instead of automatically closing the duplicate incidents, an analyst can review the duplicated incidents. The Dedup - Generic v4 playbook Identifies duplicate incidents using the machine learning model (used mainly for phishing). For more information, see Dedup - Generic v4.

    Scripts

    Automate deduplication by creating a script or using one of the out-of-the-box scripts, such as:

    • FindDuplicateEmailIncidents: Used to find duplicate emails for phishing incidents including malicious, spam, and legitimate emails, and whether to close them as duplicates. For more information, see FindDuplicateEmailIncidents

    • DBotFindSimilarIncidents: Finds past similar incidents based on incident fields' similarity. Includes an option to display indicators similarity. For more information, see DBotFindSimilarIncidents.

    • DBotFindSimilarIncidentsByIndicators: Finds similar incidents based on indicators' similarity. Indicators' contribution to the final score is based on their scarcity. For more information, see DBotFindSimilarIncidentsByIndicators.

    Note

    The DBotFindSimilarIncidents and DBotFindSimilarIncidentsByIndicators are used in the Dedup - Generic v4 playbook.