Skip to main content


This Script is part of the Phishing Pack.#

Can be used to find duplicate emails for incidents of type phishing, including malicious, spam, and legitimate emails.

Script Data#

Script Typepython3
Tagsml, phishing
Cortex XSOAR Version5.0.0


Argument NameDescription
incidentTypeFieldNameThe name of the incident field where its type is stored. Default is "type". Change this argument only in case you use a custom field for specifying incident type.
incidentTypesA comma-separated list of incident types by which to filter. The default is the current incident type. Specify "None" to ignore incident type from deduplication logic.
existingIncidentsLookbackThe start date by which to search for duplicated existing incidents. Date format is the same as in the incidents query page. For example, "3 days ago", "2019-01-01T00:00:00 +0200").
queryAdditional text by which to query incidents.
limitThe maximum number of incidents to fetch.
emailSubjectSubject of the email.
emailBodyBody of the email.
emailBodyHTMLHTML body of the email.
emailFromIncident fields contains the email from value.
fromPolicyWhether to take into account the email from field for deduplication. "TextOnly" - incidents will be considered as duplicated based on test similarity only, ignoring the sender's address. "Exact" - incidents will be considered as duplicated if their text is similar and their sender is the same. "Domain" - incidents will be considered as duplicated if their text is similar and their senders' address has the same domain. Default is "Domain".
statusScopeWhether to compare the new incident to past closed or non closed incidents only.
closeAsDuplicateWhether to close the current incident if a duplicate incident is found.
thresholdThreshold to consider incident as duplication, number between 0-1
maxIncidentsToReturnMaximum number of duplicate incidents IDs to return.
populateFieldsA comma-separated list of incident fields to populate.
exsitingIncidentsLookbackDeprecated. Use the *existingIncidentsLookback* argument instead.


duplicateIncidentThe oldest duplicate incident found with the highest similarity to the current incident.unknown
duplicateIncident.idDuplicate incident ID.string
duplicateIncident.rawIdDuplicate incident ID.Unknown
duplicateIncident.nameDuplicate incident name.Unknown
duplicateIncident.similarityNumber in range 0-1 which describe the similarity between the existing incident and the new incident.Unknown
isDuplicateIncidentFoundWhether a duplicate incident was found ("true" or "false").boolean
allDuplicateIncidentsAll duplicate incidents found where their similarity with the new incident exceeds the threshold.Unknown
allDuplicateIncidents.idA list of all duplicate incidents IDs found.Unknown
allDuplicateIncidents.rawIdA list of all duplicate incidents IDs found.Unknown
allDuplicateIncidents.nameA list of all duplicate incidents names found.Unknown
allDuplicateIncidents.similarityA list of the similarity between duplicate incidents and new the incident of all duplicate incidents names found.Unknown