Hello all,
We're trying to develop a playbook that first look at similar incident (FindSimilarIncidents) before proceeding but it isn't able to find any similar incident (even when we have duplicate of the current incident).
For a bit of context this playbook is executed from the result of a Tenable scan when vulnerabilities are identified. For each vulnerability there's an incident with the impacted hosts. We're trying to match incident with same plugin id from older scan. The plugin id is in an incident key called vulnerabilitypluginid.
We're executing the following command which return no duplicate incident:
!FindSimilarIncidents similarIncidentKeys=vulnerabilitypluginid
And when we use the Incidents page to search similar incident base on the vulnerabilitypluginid we obtain the good result:
-id:82248 and vulnerabilitypluginid:100634 and created:>="2021-09-07T13:51:17.761721+00:00" and created:<"2021-09-10T13:51:17.761721+00:00" and -status:Closed
When trying the same with the incident key name (same plugin id = same vuln will have the same name) instead of vulnerabilitypluginid we get the good result:
!FindSimilarIncidents similarIncidentKeys=name
Could you help us understand why we cannot obtain similar incident with our incident key vulnerabilityplugindid from the automation FindSimilarIncidents please ?
Thanks a lot for reading this post.
Regards,
Alexandre
Hello Aazadaliyev,
Thank for your reply. I tested both solution but they're not working.
the issue doesn't seem to be on finding the key but during the comparaison?
