We're trying to develop a playbook that first look at similar incident (FindSimilarIncidents) before proceeding but it isn't able to find any similar incident (even when we have duplicate of the current incident).
For a bit of context this playbook is executed from the result of a Tenable scan when vulnerabilities are identified. For each vulnerability there's an incident with the impacted hosts. We're trying to match incident with same plugin id from older scan. The plugin id is in an incident key called vulnerabilitypluginid.
We're executing the following command which return no duplicate incident:
And when we use the Incidents page to search similar incident base on the vulnerabilitypluginid we obtain the good result:
-id:82248 and vulnerabilitypluginid:100634 and created:>="2021-09-07T13:51:17.761721+00:00" and created:<"2021-09-10T13:51:17.761721+00:00" and -status:Closed
When trying the same with the incident key name (same plugin id = same vuln will have the same name) instead of vulnerabilitypluginid we get the good result:
Could you help us understand why we cannot obtain similar incident with our incident key vulnerabilityplugindid from the automation FindSimilarIncidents please ?
Thanks a lot for reading this post.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!