Identify Similar Cases
About similar cases
When you're working on a case in Devo SOAR, the system can help you identify similar cases in the repository.
Two cases are similar if the same IP address, URL, or file hash is found in the description, case title, or both. The IP address, URL, and file hash are automatically extracted from the
Summary
field or case title.The custom fields that are marked as ‘observable’ are compared for similarity. Two cases are similar if they have the same value for a given observable field.
Identify Similar Cases based on Devo SOAR Recommendations
Let's say you’re working on a case, and you want to know whether an IP address, URL, file hash, or other observable field value mentioned in your case matches those in any other cases.
Navigate to Case Management > Cases and click on the case to view the matching cases.
Click Link cases > Search for Similar Cases under the Linked Cases section. A list of Similar Cases shows up that Devo SOAR has determined are similar based on observable fields. To know more about observable fields, see Manage Case Fields.
Link and Unlink Cases
To link a case, use any one of the feasible options Search for Similar Cases or Link Cases by Case ID or Suggested Cases.
Search for Similar Cases
Click Link cases > Search for Similar Cases under the Linked Cases section. You will see a list of
SIMILAR CASES
for the current case.Use the checkbox to select a case and click Link. A case will be linked to your current case.
Link Cases by Case ID
Use the Link Cases by Case ID option if you know the similar cases case ID
to link directly.
Click Link cases > Link Cases by Case ID under the Linked Cases section.
Enter case ID or multiple case IDs to link separated by a comma and click
Add
.
Suggested Cases
Suggested Cases will list all similar cases based on all observable fields.
Choose the Suggested Cases tab and click Search for Similar Cases under the Linked Cases section. You will see a list of
SIMILAR CASES
for the current case.Use the checkbox to select a case and click Link. A case will be linked to your current case.
After you link a similar case to the current case, the case will not be listed in suggested cases. All cases that are linked will be listed under Linked Cases.
👍 Unlink Case
To unlink a case, hover your cursor over the respective Case ID and click the Unlink Case
icon under the Linked Cases section.
Click on the linked cases drop-down to expand and view the information about the case and similar observables.
Find Similar Cases based on the Value of a Custom Field
When creating a custom case field, the Is Observable option helps you identify cases that are similar to each other. Two cases having the same value for an observable field are considered similar.
To create a new field:
Navigate to Settings > Case Settings on the left navigation.
Click Fields > New Field.
In the New Field form, enter the field details and make sure to select the Is observable checkbox, and click Save. To know more, see Manage Case Fields.
Identify Similar Observable Fields
To identify if the value of the observable field in your case matches the value of the observable field in other cases:
Navigate to Case Management > Cases and open any case. Then, click Link cases > Search for Similar Cases under the Linked Cases section.
A new page opens with a list of the observable fields and space to enter values on the left. The matching cases are shown in the middle of the page.
You can match on multiple observable fields. Matches on multiple fields are always OR matches.
Click on the Observables drop-down to add additional fields. To remove a field, hover over it and click X.
The fraction in the Match column represents the number of fields with matching values divided by the total number of observable fields.
If you were matching on additional fields or if the case included IP address, URL, or file hash values automatically extracted, those matches would also be included in the list.
The controls on the right allow you to sort the list and apply priority or status filters. When you select controls on the right, the list of matching cases updates immediately.
To link other cases to the current case and redisplay the current case, select the required cases and click Link.
Now when you expand the Linked Cases area, you can see the linked cases listed.