Create pre-process rules to perform actions as incidents
are ingested, such as linking new incidents to existing incidents,
dropping duplicates, etc.
Pre-processing rules enable you to perform
certain actions on incidents as they are ingested into Cortex XSOAR.
You can, for example, link an incoming incident to an existing incident,
or under certain conditions, drop the incoming incident altogether.
are applied in descending order, and only one rule is applied per
field, type a
name for the rule.
Give a meaningful name that helps you identify what the
rule does. This will be useful when viewing the list of rules.
If you want the rule to apply to a specific incident,
Conditions for Incoming incident
and set the incident field
For example, if you know there is a phishing campaign,
you can create a rule for email subject with potential phishing
as the value.
You can add multiple conditions within a filter
and add multiple filters. For more information about filters, see Filter Operators.
section, from the
drop-down list determine which action to take if the incoming incident
matches the rule.
Depending on the Action field, complete section
For example, in the
if you select
Drop and update
, in section
Section 3 enables
you to link to an incoming event and update the incident depending
on the selected filter. For information about the
) From the dropdown list, select
the propagation label. When syncing from the Main Account to the
tenant, the pre-processing rule is sent the tenant based on the
) In a remote repository or in an Multi-tenant environment,
you can view the relevant dependencies to ensure that all necessary
dependencies are propagated or pushed to the remote repository.
) To check that the rules are effective
and efficient, click
Testing is useful to check that you are receiving the desired
results before putting a rule into production. We recommend you
fetch data from an existing incident as a sample incident against
which the rule can run. You can also manually enter JSON to use
as a test sample or edit the JSON from an existing incident using
most cases, in a phishing campaign, the email subject is similar.
In section 1, we create a condition for incoming incidents with
the email subject
this is a phishing email
is a known phishing campaign, we want to link the incoming incident
to an existing incident and close the incoming incident.
Section 3, we tell Cortex XSOAR to which incident to link (update)
the incoming incident. In this example, we link the email subject
to the oldest incident, (link to the first incident in the campaign)
and to those email subjects that are identical to the incoming incident.