1. Home
    2. Security Operations
    3. Cortex XSOAR
    4. Cortex XSOAR Administrator’s Guide
    5. Incidents
    6. Incident Management
    7. Link Incidents
    8. Manage Related Incidents

    Manage Related Incidents

    Manage related incidents by using the related incidents map in Cortex XSOAR. De-duplicate and link related incidents.
    Related incidents are a visual representation of incidents that share similar characteristics, such as malicious indicators, or part of a single phishing campaign. Viewing related incidents in a single view enables you to consolidate the investigation by deduplicating and linking related incidents to the incident you are viewing. Linking incidents helps you assess whether the action taken is effective.
    Using the Related Incidents Map
    Go to the incident that you are investigating and click
    Related Incidents
    .
    Understanding the Related Incidents Map
    • The incident you are currently investigating is at the center of the Related Incidents map, surrounded by the related incidents. The more similar a related incident, the closer it is to the center.
    • The incidents are categorized according to incident status (pending, active, and closed) and type (such as malware, phishing, and so on). In this example, phishing is categorized:
      Shape
      Status
      Pending status
      Active status
      Closed status
    • The map has a time spectrum. Incidents on the right side of the map are newer than the current incident, and the incidents on the left are older. Related incidents are spread across the spectrum according to the time the incident was created. The time scope is 30 days before and 30 days after the currently investigated incident. You can modify the range by using the
      Date Range
      .
    • Use the
      Similarity Scale
      to display related incidents that are more similar or less similar to the current incident.
    • Hover over a related incident to view detailed information.
    • Click an incident to view a comparison of the two incidents, which shows instances of similar indicators between the incidents. You can click multiple incidents by using
      ctrl + click
       or
      command + click
      . In the
      Similarities
      window, you can pair as
      Linked
       or as
      Duplicate
      . The incident appears as linked in the
      Linked Incidents
       table in the
      Case info
       tab.
    If you want to build your own related incidents and indicators a layout of your choice, use the Canvas. The
    Related Incidents
     page is orientated towards exploration and searching for similar data.
    You can configure an allow list or an ignore list for which incident fields to use for related incidents, as described in Configure Incident Fields for Related Incidents.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo