Deduplicate incidents either manually or automatically in Cortex XSOAR. Mark as duplicate using pre-process rules or playbooks.
When ingesting incidents, you may ingest several incidents that are duplicated. Cortex XSOAR provides the following deduplication capabilities:
Manual deduplication
During an investigation, on the Incidents page, an analyst can manually deduplicate incidents. For more information, see Incident management.
Automatic deduplication
Option
Description
Pre-process rules
Set up pre-process rules to deduplicate incidents as soon as they are ingested into Cortex XSOAR.
Playbooks
There are several out-of-the-box playbooks you can run to identify and close duplicate incidents. Alternatively, you can use these playbooks as the basis for customized de-duplication playbooks. For example, instead of automatically closing the duplicate incidents, an analyst can review the duplicated incidents. The Dedup - Generic v4 playbook Identifies duplicate incidents using the machine learning model (used mainly for phishing). For more information, see Dedup - Generic v4.
Scripts
Automate deduplication by creating a script or using one of the out-of-the-box scripts, such as:
FindDuplicateEmailIncidents: Used to find duplicate emails for phishing incidents including malicious, spam, and legitimate emails, and whether to close them as duplicates. For more information, see FindDuplicateEmailIncidentsDBotFindSimilarIncidents: Finds past similar incidents based on incident fields' similarity. Includes an option to display indicators similarity. For more information, see DBotFindSimilarIncidents.DBotFindSimilarIncidentsByIndicators: Finds similar incidents based on indicators' similarity. Indicators' contribution to the final score is based on their scarcity. For more information, see DBotFindSimilarIncidentsByIndicators.
Note
The
DBotFindSimilarIncidentsandDBotFindSimilarIncidentsByIndicatorsare used in the Dedup - Generic v4 playbook.