Create pre-process rules to perform actions on incidents as soon as they are ingested.
Pre-process rules enable you to perform certain actions on incidents as soon as they are ingested (after classification and mapping) but before the incident is created in Cortex XSOAR. These rules enable you to drop, deduplicate, link, or close incoming incidents based on specific criteria. For example link the incoming incident to an existing incident, or under preconfigured conditions, drop the incoming incident altogether.
When creating pre-process rules you can test them on existing incidents to see how they perform.
Creating a pre-process rule consists of a three-part process using the preprocess wizard.
Select the incident field and value you want the rule to apply.
Select the action to perform on the incident, such as link and drop.
Add the criteria to compare existing incidents with the new incident, including the time range and oldest and newest incidents.
After you create a rule in the Pre-Process Rules tab, you can do the following:
View, edit, copy, or delete the pre-process rule.
Enable/disable the pre-process rule.
Note
Rules are executed in the order they appear (from top to bottom). You can drag and drop rules as required. Only one rule is applied per incident.