Incident De-Duplication - Administrator Guide - 6.5 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.5
Creation date
2022-09-28
Last date published
2024-03-21
End_of_Life
EoL
Category
Administrator Guide
Abstract

De-duplicate incidents either manually or automatically in Cortex XSOAR. Mark as duplicate using pre-process rules or playbooks.

In the lifecycle of incident management, there are cases when incidents are duplicated. Cortex XSOAR provides the following de-duplication capabilities:

  • Manual De-Duplication: You can manually de-duplicate incidents from the Incidents page or the Related Incidents page. To de-duplicate incidents manually, see Manually De-Duplicate Incidents.

  • Automatic De-Duplication: You can automate de-duplicate incidents by using Pre-Process Rules and Scripts.

  • Automations: You can create an automation that creates child incidents from duplicates.

  • Playbooks: Identify, review or close duplicate incidents using playbooks.

Pre-Process Rules

Pre-Process rules enable you to perform certain actions on incidents as soon as they are ingested into Cortex XSOAR directly from the user interface. Through these rules, you can select incoming events on which to perform actions, for example, link the incoming incident to an existing incident, or under pre-configured conditions, drop the incoming incident altogether.

You can de-duplicate incidents by selecting the Link and Close action in the Pre-Process Rules tab. To create a pre-process rule, see Create Pre-Process Rules for Incidents. After you create a pre-process rule, in the Pre-Process Rules tab, you can do the following:

  • View, edit, copy, or delete the Pre-Process Rule.

  • Enable/disable the Pre-Process Rule.

The Link and Close action creates an entry in the Linked Incidents table of the existing incident to which you link, and closes the incoming incident. If an existing incident matching the defining criteria is not found an incident is created for the incoming event.

For troubleshooting, you might need to identify which pre-process rule was triggered. To store pre-process logs in a separate file, go to SettingsAboutTroubleshootingAdd Server Configuration and add preprocess.logs.file with the value true.

Playbooks

There are several out-of-the-box playbooks you can run to identify and close duplicate incidents. Alternatively, you can use these playbooks as the basis for customized de-duplication playbooks. For example, instead of automatically closing the duplicate incidents, include a manual review of the duplicate incidents.

Playbook

Description

Dedup - Generic v4

Identifies duplicate incidents using the machine learning model (used mainly for phishing).

DeDup - Generic v3

Identifies duplicate incidents using one of the supported methods, such as rules, text, and machine learning.