Check for duplicate or similar cases. Use before deep analysis to avoid investigating the same incident twice. Takes a CASE_ID and returns list of similar cases.
Identify potentially duplicate or similar existing cases before starting deep analysis.
CASE_ID - The ID of the current case to checkALERT_GROUP_IDENTIFIERS - Alert group identifiers for the caseDAYS_BACK - How many days to search back (default: 7)INCLUDE_OPEN - Include open cases (default: true)INCLUDE_CLOSED - Include closed cases (default: false)secops-soar.siemplify_get_similar_cases(
case_id=CASE_ID,
alert_group_identifiers=ALERT_GROUP_IDENTIFIERS,
days_back=DAYS_BACK,
include_open_cases=INCLUDE_OPEN,
include_closed_cases=INCLUDE_CLOSED
)
Extract the list of similar case IDs from the response.
| Output | Description |
|---|---|
SIMILAR_CASE_IDS | List of case IDs identified as potentially similar/duplicate |
SIMILARITY_CHECK_STATUS | Success/failure status of the check |
1. Check duplicates BEFORE enrichment
2. If duplicates found:
- Review similar case(s)
- If confirmed duplicate: close as duplicate
- If related but distinct: note correlation, continue
3. If no duplicates: proceed with analysis
If SIMILAR_CASE_IDS is not empty:
NOT_MALICIOUSSimilar case is already under investigation