: You can create an automation that creates child
incidents from duplicates.
review or close duplicate incidents using playbooks.
Pre-Process rules enable you to perform certain actions
on incidents as soon as they are ingested into Cortex XSOAR directly
from the user interface. Through these rules, you can select incoming
events on which to perform actions, for example, link the incoming
incident to an existing incident, or under pre-configured conditions,
drop the incoming incident altogether.
action creates an entry
in the Linked Incidents table of the existing incident to which
you link, and closes the incoming incident. If an existing incident
matching the defining criteria is not found an incident is created
for the incoming event.
There are several out-of-the-box playbooks you can run
to identify and close duplicate incidents. Alternatively, you can
use these playbooks as the basis for customized de-duplication playbooks.
For example, instead of automatically closing the duplicate incidents,
include a manual review of the duplicate incidents.
Dedup - Generic
Identifies duplicate incidents using one of
the supported methods, such as the machine learning model (used
mainly for phishing).
Checks for duplicate incidents using the FindSimilarIncidents
script, which is a rule-based script.
If duplicate incidents
are found, they are closed as duplicates.
DeDup incidents -ML
You can set the threshold for the duplicate incidents.
If duplicate incidents are found, they are closed as duplicates.