Skip to main content

Dedup - Generic v2

This Playbook is part of the Common Playbooks Pack.#


Use the Dedup Generic v3 playbook instead.

Deprecated. Please use Dedup Generic v3. This playbook identifies duplicate incidents using one of the supported methods.


This playbook uses the following sub-playbooks, integrations, and scripts.


This playbook does not use any sub-playbooks.


This playbook does not use any integrations.


  • FindSimilarIncidentsByText
  • CloseInvestigationAsDuplicate
  • FindSimilarIncidents
  • GetDuplicatesMlv2


  • linkIncidents

Playbook Inputs#

NameDescriptionDefault ValueRequired
DuplicateMethodSelect a method for identifying duplicate incidents. Can be "ml", "rules", or "text". 'rules' - defines specific rules, such as similar incident fields & labels. This method works best if you know the exact logic to find similar incidents. 'text' - text similarity, based on TF-IDF - unique word frequency in the incidents (based on similar incident fields) 'ml' - machine learning model, which was trained on similar phishing incidents. Considers similar labels, incident fields, and indicators.Required
DuplicateThresholdThe similarity threshold by which to consider an incident as a duplicate (0-1), where "1" is a duplicate and "0" is not a duplicate. Use this argument in the ML or text methods.0.9Required
TimeFrameHoursThe time frame (in hours) in which to check for duplicate incident candidates.72Required
IgnoreCloseIncidentsWhether to ignore closed incidents. Can be "yes" or "no".yesRequired
MaxNumberOfCandidatesThe maximum number of candidates to check for duplication.1000Optional
CloseAsDuplicateWhether to close incidents identified as duplicates. Can be "true" or "false".trueOptional
TimeFieldThe Time field by which to query for past incidents to check for duplicate incident candidates. Values: created, occurred, modifiedcreatedOptional
similarLabelsKeysA comma-separated list of similar label keys. Comma separated value. Also supports allowing X different words between labels, within the following way: label_name:X, where X is the number of words. X can also be '*' for contains. For example: the value "Email/subject:*" will consider email subject similar, if one is substring of the other. Relevant for 'Rules' method.Optional
similarIncidentFieldsFields to compare. Can be label name, incident fields or custom fields. Comma separated value. Relevant for 'Text' and 'Rules',type,detailsOptional

Playbook Outputs#

isSimilarIncidentFoundWhether a similar incident was found? Can be "true" or "false".boolean
similarIncidentThe similar incident.unknown

Playbook Image#

Dedup - Generic v2