Dedup - Generic v2

This playbook identifies duplicate incidents using one of the supported methods.

Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks

This playbook does not use any sub-playbooks.

Integrations

  • Builtin

Scripts

  • FindSimilarIncidentsByText
  • CloseInvestigationAsDuplicate
  • FindSimilarIncidents
  • GetDuplicatesMlv2

Commands

  • linkIncidents

Playbook Inputs


NameDescriptionDefault ValueSourceRequired
DuplicateMethodSelect a method for identifying duplicate incidents. Can be "ml", "rules", or "text". 'rules' - defines specific rules, such as similar incident fields & labels. This method works best if you know the exact logic to find similar incidents. 'text' - text similarity, based on TF-IDF - unique word frequency in the incidents (based on similar incident fields) 'ml' - machine learning model, which was trained on similar phishing incidents. Considers similar labels, incident fields, and indicators.Required
DuplicateThresholdThe similarity threshold by which to consider an incident as a duplicate (0-1), where "1" is a duplicate and "0" is not a duplicate. Use this argument in the ML or text methods.0.9Required
TimeFrameHoursThe time frame (in hours) in which to check for duplicate incident candidates.72Required
IgnoreCloseIncidentsWhether to ignore closed incidents. Can be "yes" or "no".yesRequired
MaxNumberOfCandidatesThe maximum number of candidates to check for duplication.1000Optional
CloseAsDuplicateWhether to close incidents identified as duplicates. Can be "true" or "false".trueOptional
TimeFieldThe Time field by which to query for past incidents to check for duplicate incident candidates. Values: created, occurred, modifiedcreatedOptional
similarLabelsKeysA comma-separated list of similar label keys. Comma separated value. Also supports allowing X different words between labels, within the following way: label_name:X, where X is the number of words. X can also be '*' for contains. For example: the value "Email/subject:*" will consider email subject similar, if one is substring of the other. Relevant for 'Rules' method.Optional
similarIncidentFieldsFields to compare. Can be label name, incident fields or custom fields. Comma separated value. Relevant for 'Text' and 'Rules' methods.name,type,detailsOptional

Playbook Outputs


PathDescriptionType
isSimilarIncidentFoundWhether a similar incident was found? Can be "true" or "false".boolean
similarIncidentThe similar incident.unknown

Playbook Image