Manage related incidents by using the related incidents
map in Cortex XSOAR. De-duplicate and link related incidents.
Related incidents are a visual representation
of incidents that share similar characteristics, such as malicious
indicators, or part of a single phishing campaign. Viewing related
incidents in a single view enables you to consolidate the investigation
by deduplicating and linking related incidents to the incident you
are viewing. Linking incidents helps you assess whether the action
taken is effective.
Using the Related Incidents Map
Go to the incident that you are investigating and click
Understanding the Related Incidents Map
The incident you are currently investigating is at the
center of the Related Incidents map, surrounded by the related incidents.
The more similar a related incident, the closer it is to the center.
The incidents are categorized according to incident status
(pending, active, and closed) and type (such as malware, phishing,
and so on). In this example, phishing is categorized:
The map has a time spectrum. Incidents on the right side
of the map are newer than the current incident, and the incidents
on the left are older. Related incidents are spread across the spectrum
according to the time the incident was created. The time scope is
30 days before and 30 days after the currently investigated incident.
You can modify the range by using the
related incidents that are more similar or less similar to the current
Hover over a related incident to view detailed information.
Click an incident to view a comparison of the two incidents,
which shows instances of similar indicators between the incidents.
You can click multiple incidents by using
ctrl + click
command + click
window, you can pair as
. The incident appears as linked
table in the
If you want to build your own related incidents and indicators
a layout of your choice, use the Canvas.
page is orientated
towards exploration and searching for similar data.