Skip to main content

Dedup - Generic v4

This Playbook is part of the Common Playbooks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.2.0 and later.

This playbook identifies duplicate incidents using the Cortex XSOAR machine learning method (script). In this playbook, you can choose fields and/or indicators to be compared against other incidents in the Cortex XSOAR database.

Note: To identify similar incidents you must properly define the playbook inputs.


This playbook uses the following sub-playbooks, integrations, and scripts.


This playbook does not use any sub-playbooks.


This playbook does not use any integrations.


  • DBotFindSimilarIncidents
  • DBotFindSimilarIncidentsByIndicators


  • linkIncidents
  • closeInvestigation

Playbook Inputs#

NameDescriptionDefault ValueRequired
methodChoose the way you want to identify similar incidents. Choose between "Indicators" / "Fields" / "Fields and Indicators".Fields and IndicatorsRequired
handleSimilarThis input defines how to handle similar incidents.
Possible values: "Link " (default), "Close", and "Link and Close".
Note: Close incidents requires you to define the "CloseSimilar" input as well.
Also, the incidents found by similar indicators or fields will be closed if their similarity score is above the CloseSimilar value.
fieldExactMatchSelect the incident field name you want the script to query.
For example, if you select <Type>, the playbook will query against the database for all incidents with the same type as your current incident.
Note: If you use comma-separated values, the operator between them will be *AND*.
fieldsToDisplayA comma-separated list of additional incident fields to display in the context output. These fields can be used later on for layouts or other states if needed.
(Those which will not be taken into account when computing similarity)
fromDateThe start date to filter incidents. Date format is the same as in the incidents query page, for example, "3 days ago", "1 month ago", "2019-01-01T00:00:00 +0200").1 months agoOptional
limitThe maximum number of incidents to query and set to context data.
Default is: 200
minimunIncidentSimilarityRetain incidents with a similarity score greater than the MinimunIncidentSimilarity.
Default: 0.2
Value should be between 0 to 1 [0=low similarity, 1=identical]
similarTextFieldA comma-separated list of incident text fields to take into account when computing similarity. For example commandline, URLRequired
CloseSimilarDefines the threshold of similarity to close a similar incident. All similar incidents with similarity above this value will be closed.
For example, if CloseSimilar is set to .8 and an incident has a similarity score of .9, the incident will be closed.
The value should be between 0 and 1 [0=low similarity , 1=identical].
showIncidentSimilarityForAllFieldsWhether to display the similarity score for each of the incident fields that were entered in the "similarTextField".
Default: True
queryThe argument for dedicated query on incidents. This helps reduce the query size.
Default (same is in the Incident tab): "-status:closed -category:job "
-status:closed -category:jobOptional
closeReasonSpecify the reason for closing the incident. This information will be added as a note/comment to the closed incident.Closed by Dedup Playbook within inc ${}Optional

Playbook Outputs#

DBotFindSimilarIncidentsReturn all the results from the "DBotFindSimilarIncidents" script.unknown
DBotFindSimilarIncidentsByIndicatorsReturn all the results from the "DBotFindSimilarIncidentsByIndicators" script.unknown

Playbook Image#

Dedup - Generic v4