Manage Related Incidents - Administrator Guide - 6.9 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.9
Creation date
2022-09-29
Last date published
2024-03-28
End_of_Life
EoL
Category
Administrator Guide
Abstract

Manage related incidents by using the related incidents map in Cortex XSOAR. De-duplicate and link related incidents.

Related incidents are determined by calculating a similarity score based on how many identical indicators the incidents share per indicator type (Email, File, IP, URL, or other indicator type) and how many key-value pairs are identical within incident labels and custom fields. If incident A does not have any IP indicators, but incident B does have IP indicators, the similarity is calculated as 0 for this axis. If neither incident has IP indicators, IP indicators are not used as part of the similarity calculation.

The related incidents map provides a visual representation of incidents that share similar characteristics, such as malicious indicators, or that are part of a single phishing campaign. Viewing related incidents in a single view enables you to consolidate the investigation by deduplicating and linking related incidents to the incident you are viewing. Linking incidents helps you assess whether the action taken is effective.

Using the Related Incidents Map

Go to the incident that you are investigating and click Related Incidents.

related_incidents.png

Understanding the Related Incidents Map

  • The incident you are currently investigating is at the center of the Related Incidents map, surrounded by the related incidents. The more similar a related incident, the closer it is to the center.

  • The incidents are categorized according to incident status (pending, active, and closed) and type (such as malware, phishing, and so on). In this example, phishing is categorized:

    Shape

    Status

    incident_pending.png

    Pending status

    incident_active.png

    Active status

    incident_closed.png

    Closed status

  • The map has a time spectrum. Incidents on the right side of the map are newer than the current incident, and the incidents on the left are older. Related incidents are spread across the spectrum according to the time the incident was created. The time scope is 30 days before and 30 days after the currently investigated incident. You can modify the range by using the Date Range.

  • Use the Similarity Scale to display related incidents that are more similar or less similar to the current incident.

  • Hover over a related incident to view detailed information.

  • Click an incident to view a comparison of the two incidents, which shows instances of similar indicators between the incidents. You can click multiple incidents by using ctrl + click or command + click. In the Similarities window, you can pair as Linked or as Duplicate. The incident appears as linked in the Linked Incidents table in the Case info tab.

If you want to build your own related incidents and indicators a layout of your choice, use the Canvas. The Related Incidents page is orientated towards exploration and searching for similar data.

You can configure an allow list or an ignore list for which incident fields to use for related incidents, as described in Configure Incident Fields for Related Incidents.