Skip to main content

FindSimilarIncidents

This Script is part of the Common Scripts Pack.#

Finds similar incidents by common incident keys, labels, custom fields or context keys. It's highly recommended to use incident keys if possible (e.g., "type" for the same incident type). For best performance, it's recommended to avoid using context keys if possible (for example, if the value also appears in a label key, use label).

This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html

Script Data#


NameDescription
Script Typepython2
Tagsdedup, duplicate, incidents
Cortex XSOAR Version5.0.0

Used In#


This script is used in the following playbooks and scripts.

  • Cortex XDR incident handling v2
  • DeDup incidents
  • Dedup - Generic
  • Dedup - Generic v2
  • Dedup - Generic v3
  • Handle Darktrace Model Breach
  • JOB - Integrations and Incidents Health Check
  • Palo Alto Networks - Endpoint Malware Investigation v2
  • Palo Alto Networks - Endpoint Malware Investigation v3
  • Shift handover

Inputs#


Argument NameDescription
similarIncidentKeysA comma-separated list of identical incident keys.
similarLabelsKeysA comma-separated list of similar label keys. Comma separated value. Also supports allowing X different words between labels, within the following way: label_name:X, where X is the number of words. X can also be '*' for contains. For example: the value "Email/subject:*" will consider email subject similar, if one is substring of the other.
similarContextKeysA comma-separated list of similar context keys. Also supports allowing X different words between values (see the labels description).
similarCustomFieldsA comma-separated list of Similar custom fields keys. Also supports allowing X different words between values (see the labels description).
ignoreClosedIncidentsWhether to ignore closed incidents as duplicate candidates. Can be "yes" (ignore) or "no" (don't ignore). The default value is "yes".
maxNumberOfIncidentsMaximum number of incidents to query.
hoursBackQuery incidents in the last X hours. Supports float value.
timeFieldFilter incidents by this time field.
maxResultsMaximum number of results to display.
similarIncidentFieldsA comma-separated list of similar incident fields keys. Also supports allowing X different words between values (see the labels description).
filterQueryUse this query condition when fetching duplicate incidents.
incidentFieldsAppliedConditionThe condition to apply between incident fields. Can be "OR" or "AND". This will apply only for fields with "exact match".
skipMissingValuesWhether to skip the incident if it does not have specific key. Can be "yes" (skip) or "no" (don't skip). The default value is "yes". WARNING: if no fields exist in the incident, random incidents might be returned as results due to the empty condition.

Outputs#


PathDescriptionType
similarIncident.rawIdSimilar incident ID.string
isSimilarIncidentFoundWhether a similar incident was found ("true" or "false").boolean
similarIncidentSimilar incident.unknown
similarIncident.nameSimilar incident name.string