Check Duplicates Skill
Identify potentially duplicate or similar existing SOAR cases before starting deep analysis.
Inputs
- •
CASE_ID- The ID of the current case to check - •
ALERT_GROUP_IDENTIFIERS- Alert group identifiers for the case - •(Optional)
DAYS_BACK- How many days to search back (default: 7) - •(Optional)
INCLUDE_OPEN- Include open cases (default: true) - •(Optional)
INCLUDE_CLOSED- Include closed cases (default: false)
Workflow
Step 1: Execute Similarity Check
code
secops-soar.siemplify_get_similar_cases(
case_id=CASE_ID,
alert_group_identifiers=ALERT_GROUP_IDENTIFIERS,
days_back=DAYS_BACK,
include_open_cases=INCLUDE_OPEN,
include_closed_cases=INCLUDE_CLOSED
)
Step 2: Process Results
Extract the list of similar case IDs from the response.
Outputs
| Output | Description |
|---|---|
SIMILAR_CASE_IDS | List of case IDs identified as potentially similar/duplicate |
SIMILARITY_CHECK_STATUS | Success/failure status of the check |
Usage Pattern
code
1. Check duplicates BEFORE enrichment 2. If duplicates found: - Review similar case(s) - If confirmed duplicate: close as duplicate - If related but distinct: note correlation, continue 3. If no duplicates: proceed with analysis
When Duplicates Are Found
If SIMILAR_CASE_IDS is not empty:
- •Document: "Closing as duplicate of [Similar Case ID]"
- •Close with:
- •Reason:
NOT_MALICIOUS - •Root cause:
Similar case is already under investigation
- •Reason: