Incident De-Duplication - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Cortex XSOAR
Creation date
Last date published
Administrator Guide

De-duplicate incidents either manually or automatically in Cortex XSOAR. Mark as duplicate using pre-process rules or playbooks.

In the lifecycle of incident management, there are cases when incidents are duplicated. Cortex XSOAR provides the following de-duplication capabilities:

  • Manual De-Duplication: You can manually de-duplicate incidents from the Incidents page. To de-duplicate incidents manually, see De-Duplicate Incidents Manually.

  • Automatic De-Duplication: You can automate de-duplicate incidents by using Pre-Process Rules and Scripts.

  • Scripts: You can create a script that creates child incidents from duplicates.

  • Playbooks: Identify, review or close duplicate incidents using playbooks.

    There are several out-of-the-box playbooks you can run to identify and close duplicate incidents. Alternatively, you can use these playbooks as the basis for customized de-duplication playbooks. For example, instead of automatically closing the duplicate incidents, include a manual review of the duplicate incidents.



    Dedup - Generic v4

    Identifies duplicate incidents using the machine learning model (used mainly for phishing).

    DeDup - Generic v3

    Identifies duplicate incidents using one of the supported methods, such as rules, text, and machine learning.