DBotFindSimilarIncidents
Base Pack.#
This Script is part of theFind past similar incidents based on incident fields' similarity. Includes an option to also display indicators similarity. Note: For the similarity calculation, at least one field must be provided in one of the "similarTextField", "similarCategoricalField", or "similarJsonField" arguments.
#
Script DataName | Description |
---|---|
Script Type | python3 |
Cortex XSOAR Version | 5.0.0 |
#
Used InThis script is used in the following playbooks and scripts.
- Cortex XDR incident handling v3
- Dedup - Generic v4
- Endpoint Malware Investigation - Generic V2
#
InputsArgument Name | Description |
---|---|
incidentId | Incident ID to get the prediction of. If empty, predicts the the current incident ID. |
similarTextField | Comma-separated list of incident text fields to take into account when computing similarity. For example: commandline, URL. Note: In order to calculate similarity, fields must consist of a minimum of 2 letters. |
similarCategoricalField | Comma-separated list of incident categorical fields to take into account whe computing similarity. For example: IP, URL. Note: In order to calculate similarity, fields must consist of a minimum of 2 letters. |
similarJsonField | Comma-separated list of incident JSON fields to take into account whe computing similarity. For example: CustomFields. Note: In order to calculate similarity, fields must consist of a minimum of 2 letters. |
fieldsToDisplay | Comma-separated list of additional incident fields to display, but which will not be taken into account when computing similarity. |
fieldExactMatch | Comma-separated list of incident fields that have to be equal to the current incident fields. This helps reduce the query size. These fields are not part of the similarity calculation. |
useAllFields | Whether to use a predefined set of fields and custom fields to compute similarity. If "True", it will ignore values in similarTextField, similarCategoricalField, similarJsonField. |
fromDate | The start date by which to filter incidents. Date format will be the same as in the incidents query page, for example, "3 days ago", ""2019-01-01T00:00:00 +0200"). |
toDate | The end date by which to filter incidents. Date format will be the same as in the incidents query page, for example, "3 days ago", ""2019-01-01T00:00:00 +0200"). |
query | Argument for the query. This helps reduce the query size. |
limit | The maximum number of incidents to query. |
aggreagateIncidentsDifferentDate | Whether to aggregate duplicate incidents within diffrerent dates. |
showIncidentSimilarityForAllFields | Whether to display the similarity score for each of the incident fields. |
minimunIncidentSimilarity | Retain incidents with similarity score that's higher than the MinimunIncidentSimilarity. |
maxIncidentsToDisplay | The maximum number of incidents to display. |
showCurrentIncident | Whether to display the current incident. |
includeIndicatorsSimilarity | Whether to include similarity of indicators from DBotFindSimilarIncidentsByIndicators in the final score. |
minNumberOfIndicators | The minimum number of indicators required related to the incident before running the model. Relevant if includeIndicatorsSimilarity is "True". |
indicatorsTypes | Comma-separated list of indicator types to take into account. If empty, uses all indicators types. Relevant if includeIndicatorsSimilarity is "True". |
maxIncidentsInIndicatorsForWhiteList | Help to filter out indicators that appear in many incidents. Relevant if includeIndicatorsSimilarity is "True". |
#
OutputsThere are no outputs for this script.