Incident De-Duplication

De-duplicate incidents either manually or automatically in Cortex XSOAR. Mark as duplicate using pre-process rules or playbooks.
In the lifecycle of incident management, there are cases when incidents are duplicated. Cortex XSOAR provides the following de-duplication capabilities:
  • Manual De-Duplication
    : You can manually de-duplicate incidents from the
    page or the
    Related Incidents
    page. To de-duplicate incidents manually, see Manually De-Duplicate Incidents.
  • Automatic De-Duplication
    : You can automate de-duplicate incidents by using Pre-Process Rules and Scripts.
  • Automations
    : You can create an automation that creates child incidents from duplicates.
  • Playbooks: Identify, review or close duplicate incidents using playbooks.

Pre-Process Rules

Pre-Process rules enable you to perform certain actions on incidents as soon as they are ingested into Cortex XSOAR directly from the user interface. Through these rules, you can select incoming events on which to perform actions, for example, link the incoming incident to an existing incident, or under pre-configured conditions, drop the incoming incident altogether.
You can de-duplicate incidents by selecting the
Link and Close
action in the
Pre-Process Rules
tab. To create a pre-process rule, see Create Pre-Process Rules for Incidents. After you create a pre-process rule, in the Pre-Process Rules tab, you can do the following:
  • View, edit, copy, or delete the Pre-Process Rule.
  • Enable/disable the Pre-Process Rule.
Link and Close
action creates an entry in the Linked Incidents table of the existing incident to which you link, and closes the incoming incident. If an existing incident matching the defining criteria is not found an incident is created for the incoming event.


There are several out-of-the-box playbooks you can run to identify and close duplicate incidents. Alternatively, you can use these playbooks as the basis for customized de-duplication playbooks. For example, instead of automatically closing the duplicate incidents, include a manual review of the duplicate incidents.
Dedup - Generic
Identifies duplicate incidents using one of the supported methods, such as the machine learning model (used mainly for phishing).
DeDup incidents
Checks for duplicate incidents using the FindSimilarIncidents script, which is a rule-based script.
If duplicate incidents are found, they are closed as duplicates.
DeDup incidents -ML
You can set the threshold for the duplicate incidents. If duplicate incidents are found, they are closed as duplicates.

Recommended For You