https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/findsimilarincidents-doesn-t-work/m-p/433105#M346 <P>Hello all,</P><P>&nbsp;</P><P>We're trying to develop a playbook that first look at similar incident (FindSimilarIncidents) before proceeding but it isn't able to find any similar incident (even when we have duplicate of the current incident).</P><P>&nbsp;</P><P>For a bit of context this playbook is executed from the result of a Tenable scan when vulnerabilities are identified. For each vulnerability there's an incident with the impacted hosts. We're trying to match incident with same plugin id from older scan. The plugin id is in an incident key called vulnerabilitypluginid.</P><P>&nbsp;</P><P>We're executing the following command which return no duplicate incident:</P><P>!FindSimilarIncidents similarIncidentKeys=vulnerabilitypluginid</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AlexandreBorgo_0-1631284094703.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/36312iCFA7C07765347327/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="AlexandreBorgo_0-1631284094703.png" alt="AlexandreBorgo_0-1631284094703.png" /></span></P><P>&nbsp;</P><P>And when we use the Incidents page to search similar incident base on the vulnerabilitypluginid we obtain the good result:</P><P>-id:82248 and vulnerabilitypluginid:100634 and created:&gt;="2021-09-07T13:51:17.761721+00:00" and created:&lt;"2021-09-10T13:51:17.761721+00:00" and -status:Closed</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AlexandreBorgo_2-1631284374214.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/36314i3D3F17BFA05889E6/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="AlexandreBorgo_2-1631284374214.png" alt="AlexandreBorgo_2-1631284374214.png" /></span></P><P>&nbsp;</P><P>When trying the same with the incident key name (same plugin id = same vuln will have the same name) instead of vulnerabilitypluginid we get the good result:</P><P>!FindSimilarIncidents similarIncidentKeys=name</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AlexandreBorgo_1-1631284184311.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/36313i6DF05F3659FBE31A/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="AlexandreBorgo_1-1631284184311.png" alt="AlexandreBorgo_1-1631284184311.png" /></span></P><P>&nbsp;</P><P>Could you help us understand why we cannot obtain similar incident with our incident key vulnerabilityplugindid from the automation FindSimilarIncidents please ?</P><P>&nbsp;</P><P>Thanks a lot for reading this post.</P><P>&nbsp;</P><P>Regards,</P><P>Alexandre</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 10 Sep 2021 14:40:49 GMT AlexandreBorgo 2021-09-10T14:40:49Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/findsimilarincidents-doesn-t-work/m-p/433105#M346 <P>Hello all,</P><P>&nbsp;</P><P>We're trying to develop a playbook that first look at similar incident (FindSimilarIncidents) before proceeding but it isn't able to find any similar incident (even when we have duplicate of the current incident).</P><P>&nbsp;</P><P>For a bit of context this playbook is executed from the result of a Tenable scan when vulnerabilities are identified. For each vulnerability there's an incident with the impacted hosts. We're trying to match incident with same plugin id from older scan. The plugin id is in an incident key called vulnerabilitypluginid.</P><P>&nbsp;</P><P>We're executing the following command which return no duplicate incident:</P><P>!FindSimilarIncidents similarIncidentKeys=vulnerabilitypluginid</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AlexandreBorgo_0-1631284094703.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/36312iCFA7C07765347327/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="AlexandreBorgo_0-1631284094703.png" alt="AlexandreBorgo_0-1631284094703.png" /></span></P><P>&nbsp;</P><P>And when we use the Incidents page to search similar incident base on the vulnerabilitypluginid we obtain the good result:</P><P>-id:82248 and vulnerabilitypluginid:100634 and created:&gt;="2021-09-07T13:51:17.761721+00:00" and created:&lt;"2021-09-10T13:51:17.761721+00:00" and -status:Closed</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AlexandreBorgo_2-1631284374214.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/36314i3D3F17BFA05889E6/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="AlexandreBorgo_2-1631284374214.png" alt="AlexandreBorgo_2-1631284374214.png" /></span></P><P>&nbsp;</P><P>When trying the same with the incident key name (same plugin id = same vuln will have the same name) instead of vulnerabilitypluginid we get the good result:</P><P>!FindSimilarIncidents similarIncidentKeys=name</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AlexandreBorgo_1-1631284184311.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/36313i6DF05F3659FBE31A/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="AlexandreBorgo_1-1631284184311.png" alt="AlexandreBorgo_1-1631284184311.png" /></span></P><P>&nbsp;</P><P>Could you help us understand why we cannot obtain similar incident with our incident key vulnerabilityplugindid from the automation FindSimilarIncidents please ?</P><P>&nbsp;</P><P>Thanks a lot for reading this post.</P><P>&nbsp;</P><P>Regards,</P><P>Alexandre</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 10 Sep 2021 14:40:49 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/findsimilarincidents-doesn-t-work/m-p/433105#M346 AlexandreBorgo 2021-09-10T14:40:49Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/findsimilarincidents-doesn-t-work/m-p/433271#M347 <P>I think&nbsp;<SPAN><STRONG>similarIncidentKeys</STRONG> is deprecated. Try to use only&nbsp;</SPAN><SPAN><STRONG>similarIncidentFields</STRONG>.<BR />And if that still not works, then use&nbsp;<SPAN><STRONG>similarIncidentKeys=incident.vulnerabilityplugindid&nbsp;&nbsp;</STRONG>with incident prefix<BR /><BR /></SPAN></SPAN></P> Sat, 11 Sep 2021 18:52:19 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/findsimilarincidents-doesn-t-work/m-p/433271#M347 aazadaliyev 2021-09-11T18:52:19Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/findsimilarincidents-doesn-t-work/m-p/433878#M351 <P>Hello Aazadaliyev,</P><P>&nbsp;</P><P>Thank for your reply. I tested both solution but they're not working.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AlexandreBorgo_0-1631636235605.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/36382i378BFBD36E935413/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="AlexandreBorgo_0-1631636235605.png" alt="AlexandreBorgo_0-1631636235605.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AlexandreBorgo_1-1631636265144.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/36383i45BE257FB7117DE3/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="AlexandreBorgo_1-1631636265144.png" alt="AlexandreBorgo_1-1631636265144.png" /></span></P><P>&nbsp;</P><P>the issue doesn't seem to be on finding the key but during the comparaison?</P> Tue, 14 Sep 2021 16:19:10 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/findsimilarincidents-doesn-t-work/m-p/433878#M351 AlexandreBorgo 2021-09-14T16:19:10Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/findsimilarincidents-doesn-t-work/m-p/435082#M355 <P>What is the type of the field? Number or string?</P> Sun, 19 Sep 2021 07:38:41 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/findsimilarincidents-doesn-t-work/m-p/435082#M355 aazadaliyev 2021-09-19T07:38:41Z