1. Home
    2. Security Operations
    3. Cortex XSOAR
    4. Cortex XSOAR Administrator’s Guide
    5. Incidents
    6. Incident Management
    7. Incident De-Duplication
    8. Create Pre-Process Rules for Incidents

    Create Pre-Process Rules for Incidents

    Create pre-process rules to perform actions as incidents are ingested, such as linking new incidents to existing incidents, dropping duplicates, etc.
    Pre-processing rules enable you to perform certain actions on incidents as they are ingested into Cortex XSOAR. You can, for example, link an incoming incident to an existing incident, or under certain conditions, drop the incoming incident altogether.
    Rules are applied in descending order, and only one rule is applied per incident.
    1. Select
      Settings
      Integrations
      Pre-Process Rules
      New Rule
      .
    2. In the
      Rule Name
       field, type a name for the rule.
      Give a meaningful name that helps you identify what the rule does. This will be useful when viewing the list of rules.
    3. If you want the rule to apply to a specific incident, in the
      Conditions for Incoming incident
       section, click
      Add filter
       and set the incident field and value.
      For example, if you know there is a phishing campaign, you can create a rule for email subject with potential phishing as the value.
      You can add multiple conditions within a filter and add multiple filters. For more information about filters, see Filter Operators.
    4. In the
      Action
       section, from the drop-down list determine which action to take if the incoming incident matches the rule.
    5. Depending on the Action field, complete section
      3.
      For example, in the
      Action
       field, if you select
      Drop and update
      , in section
      3
      , complete the
      Update
       field.
      Section 3 enables you to link to an incoming event and update the incident depending on the selected filter. For information about the
      Action
       section and the fields in section
      3
      , see Rule Actions for Pre-Process Rules.
    6. (
      Multi-tenant
      ) From the dropdown list, select the propagation label. When syncing from the Main Account to the tenant, the pre-processing rule is sent the tenant based on the propagation label.
    7. (
      Optional
      ) In a remote repository or in an Multi-tenant environment, you can view the relevant dependencies to ensure that all necessary dependencies are propagated or pushed to the remote repository.
    8. (
      Optional
      ) To check that the rules are effective and efficient, click
      Test
      .
      Testing is useful to check that you are receiving the desired results before putting a rule into production. We recommend you fetch data from an existing incident as a sample incident against which the rule can run. You can also manually enter JSON to use as a test sample or edit the JSON from an existing incident using the
      Edit
       button.
    9. Click
      Save
      .
    In most cases, in a phishing campaign, the email subject is similar. In section 1, we create a condition for incoming incidents with the email subject
    this is a phishing email
    .
    As this is a known phishing campaign, we want to link the incoming incident to an existing incident and close the incoming incident.
    In Section 3, we tell Cortex XSOAR to which incident to link (update) the incoming incident. In this example, we link the email subject to the oldest incident, (link to the first incident in the campaign) and to those email subjects that are identical to the incoming incident.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo