End-of-Life (EoL)

Manage Related Incidents

cluster relatedincidents Manage related incidents by using the related incidents map.
Related incidents are a visual representation of incidents that share similar characteristics, such as malicious indicators, or part of a single phishing campaign. Viewing related incidents in a single view enables you to consolidate the investigation by deduplicating and linking related incidents to the incident you are viewing. Linking incidents helps you assess whether the action taken is effective.
Using the Related Incidents Map
Go to the incident that you are investigating and click
Related Incidents
Understanding the Related Incidents Map
  • The incident you are currently investigating is at the center of the Related Incidents map, surrounded by the related incidents. The more similar a related incident, the closer it is to the center.
  • The incidents are categorized according to incident status (pending, active, and closed) and type (such as malware, phishing, and so on). In this example, phishing is categorized:
    Pending status
    Active status
    Closed status
  • The map has a time spectrum. Incidents on the right side of the map are newer than the current incident, and the incidents on the left are older. Related incidents are spread across the spectrum according to the time the incident was created. The time scope is 30 days before and 30 days after the currently investigated incident. You can modify the range by using the
    Date Range
  • Use the
    Similarity Scale
    to display related incidents that are more similar or less similar to the current incident.
  • Hover over a related incident to view detailed information.
  • Click an incident to view a comparison of the two incidents, which shows instances of similar indicators between the incidents. You can click multiple incidents by using
    ctrl + click
    command + click
    . In the
    window, you can pair as
    or as
    . The incident appears as linked in the
    Linked Incidents
    table in the
    Case info
If you want to build your own related incidents and indicators a layout of your choice, use the Canvas. The
Related Incidents
page is orientated towards exploration and searching for similar data.
You can configure an allow list or an ignore list for which incident fields to use for related incidents, as described in Configure Incident Fields for Related Incidents.

Recommended For You