De-duplicate incidents either manually or automatically in Cortex XSOAR. Mark as duplicate using pre-process rules or playbooks.
In the lifecycle of incident management, there are cases when incidents are duplicated. Cortex XSOAR provides the following de-duplication capabilities:
Manual De-Duplication: You can manually de-duplicate incidents from the Incidents page. To de-duplicate incidents manually, see De-Duplicate Incidents Manually.
Automatic De-Duplication: You can automate de-duplicate incidents by using Pre-Process Rules and Scripts.
Scripts: You can create a script that creates child incidents from duplicates.
Playbooks: Identify, review or close duplicate incidents using playbooks.
There are several out-of-the-box playbooks you can run to identify and close duplicate incidents. Alternatively, you can use these playbooks as the basis for customized de-duplication playbooks. For example, instead of automatically closing the duplicate incidents, include a manual review of the duplicate incidents.
Playbook
Description
Identifies duplicate incidents using the machine learning model (used mainly for phishing).
Identifies duplicate incidents using one of the supported methods, such as rules, text, and machine learning.