Link incidents - Administrator Guide - 8.5 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR On-prem Documentation

Product
Cortex XSOAR
Version
8.5
Creation date
2024-03-10
Last date published
2024-11-28
Category
Administrator Guide
Solution
On-prem
Abstract

Link incidents in the Linked Incidents section or the CLI.

When ingesting incidents, you may find that several incidents have similar or identical information. You have the following options:

  • Set up automatic deduplication. Your administrator can set up pre-process rules or scripts in a playbook. For more information, see Incident deduplication in Cortex XSOAR.

  • From the incidents table, mark the incident as duplicate. You select which incident to keep and which to close.

  • From the Incident, in the LINKED INCIDENTS section, add linked incidents. These incidents are linked but not closed.

  • In the CLI you can use the !linkIncidents command to deduplicate, and link/unlink incidents

When you link an incident without closing, you can view all similar incidents together without closing them as duplicates. When you link an incident you can see them all in one table and take action altogether, such as running commands or closing the incidents.

If you find during your investigation you want to unlink incidents, run the !linkedIncidents command in the CLI.

Before you start, note the incident ID you want to link.

  1. In the Case Info tab, scroll to the LINKED INCIDENTS section.

  2. Click the + icon.

  3. Add the incident IDs you want to link, separated by a comma.

  4. Click Submit.

    The linked incident appears in the War Room and the LINKED INCIDENTS section.

  5. (Optional) To take action or view all linked incidents, go to the Linked Incidents table by clicking linked-incident-add.png in the LINKED INCIDENTS section.

Note

To unlink the incident, run the following command in the CLI:

!linkIncidents linkedIncidentIDs=<id> action=<unlink>

  1. In the CLI, run the following command:

    !LinkIncidents linkedIncidentIDs=<id> action=<action value>

    The linked incident appears in the LINKED INCIDENTS section and the War Room.

  2. (Optional) To take action or view all linked incidents, go to the Linked Incidents table by clicking linked-incident-add.png in the LINKED INCIDENTS section.

To unlink the incident, run the following command:

!linkIncidents linkedIncidentIDs=<id> action=<unlink>