Link incidents in the Linked Incidents section or the CLI.
When ingesting incidents, you may find that several incidents have similar or identical information. You have the following options:
Set up automatic deduplication. Your administrator can set up pre-process rules or scripts in a playbook. For more information, see Incident deduplication in Cortex XSOAR.
From the incidents table, mark the incident as duplicate. You select which incident to keep and which to close.
From the Incident, in the LINKED INCIDENTS section, add linked incidents. These incidents are linked but not closed.
In the CLI you can use the
!linkIncidents
command to deduplicate, and link/unlink incidents
When you link an incident without closing, you can view all similar incidents together without closing them as duplicates. When you link an incident you can see them all in one table and take action altogether, such as running commands or closing the incidents.
If you find during your investigation you want to unlink incidents, run the !linkedIncidents
command in the CLI.