Create Pre-Process Rules for Incidents

Create pre-process rules to perform actions as incidents are ingested, such as linking new incidents to existing incidents, dropping duplicates, etc.
Pre-processing rules enable you to perform certain actions on incidents as they are ingested into Cortex XSOAR. You can, for example, link an incoming incident to an existing incident, or under certain conditions, drop the incoming incident altogether.
Rules are applied in descending order, and only one rule is applied per incident.
  1. Select
    Pre-Process Rules
    New Rule
  2. In the
    Rule Name
    field, type a name for the rule.
    Give a meaningful name that helps you identify what the rule does. This will be useful when viewing the list of rules.
  3. If you want the rule to apply to a specific incident, in the
    Conditions for Incoming incident
    section, click
    Add filter
    and set the incident field and value.
    For example, if you know there is a phishing campaign, you can create a rule for email subject with potential phishing as the value.
    You can add multiple conditions within a filter and add multiple filters. For more information about filters, see Filter Operators.
  4. In the
    section, from the drop-down list determine which action to take if the incoming incident matches the rule.
  5. Depending on the Action field, complete section
    For example, in the
    field, if you select
    Drop and update
    , in section
    , complete the
    Section 3 enables you to link to an incoming event and update the incident depending on the selected filter. For information about the
    section and the fields in section
    , see Rule Actions for Pre-Process Rules.
  6. (
    ) From the dropdown list, select the propagation label. When syncing from the Main Account to the tenant, the pre-processing rule is sent the tenant based on the propagation label.
  7. (
    ) In a remote repository or in an Multi-tenant environment, you can view the relevant dependencies to ensure that all necessary dependencies are propagated or pushed to the remote repository.
  8. (
    ) To check that the rules are effective and efficient, click
    Testing is useful to check that you are receiving the desired results before putting a rule into production. We recommend you fetch data from an existing incident as a sample incident against which the rule can run. You can also manually enter JSON to use as a test sample or edit the JSON from an existing incident using the
  9. Click
In most cases, in a phishing campaign, the email subject is similar. In section 1, we create a condition for incoming incidents with the email subject
this is a phishing email
As this is a known phishing campaign, we want to link the incoming incident to an existing incident and close the incoming incident.
In Section 3, we tell Cortex XSOAR to which incident to link (update) the incoming incident. In this example, we link the email subject to the oldest incident, (link to the first incident in the campaign) and to those email subjects that are identical to the incoming incident.

Recommended For You