Deduplicate incidents either manually or automatically in Cortex XSOAR. Mark as duplicate using pre-process rules or playbooks.
When ingesting incidents, you may ingest several incidents that are duplicated. Cortex XSOAR provides the following deduplication capabilities:
Manual deduplication
During an investigation, on the Incidents page, an analyst can manually deduplicate incidents. For more information, see Incident management.
Automatic deduplication
Option
Description
Pre-process rules
Set up pre-process rules to deduplicate incidents as soon as they are ingested into Cortex XSOAR.
Playbooks
There are several out-of-the-box playbooks you can run to identify and close duplicate incidents. Alternatively, you can use these playbooks as the basis for customized de-duplication playbooks. For example, instead of automatically closing the duplicate incidents, an analyst can review the duplicated incidents. The Dedup - Generic v4 playbook Identifies duplicate incidents using the machine learning model (used mainly for phishing). For more information, see Dedup - Generic v4.
Scripts
Automate deduplication by creating a script or using one of the out-of-the-box scripts, such as:
FindDuplicateEmailIncidents
: Used to find duplicate emails for phishing incidents including malicious, spam, and legitimate emails, and whether to close them as duplicates. For more information, see FindDuplicateEmailIncidentsDBotFindSimilarIncidents
: Finds past similar incidents based on incident fields' similarity. Includes an option to display indicators similarity. For more information, see DBotFindSimilarIncidents.DBotFindSimilarIncidentsByIndicators
: Finds similar incidents based on indicators' similarity. Indicators' contribution to the final score is based on their scarcity. For more information, see DBotFindSimilarIncidentsByIndicators.
Note
The
DBotFindSimilarIncidents
andDBotFindSimilarIncidentsByIndicators
are used in the Dedup - Generic v4 playbook.