Assuming an incident type configuration runs the associated playbook automatically, which pre-process rule action can preserve matching incidents without triggering the playbook?.
Pre-process rules allow XSOAR to evaluate incoming events before they are fully created as incidents. These rules can suppress, modify, or relate events based on defined criteria. According to the Admin Guide, when a pre-process rule uses theLinkaction, XSOAR links the incoming event to an existing incident without triggering the standard incident creation process or subsequent playbook execution. This preserves the data for correlation and investigation while preventing duplicate or unnecessary playbook runs.
TheCloseaction (A) suppresses incidents completely and is used to auto-close unwanted events; this prevents preservation of the event and does not trigger the playbook. TheDropaction (C) discards incoming events entirely, removing them from the system and not preserving them. TheUpdateaction (B) modifies or enriches existing incidents but does not stop the playbook from running on newly created incidents of that type.
Because the requirement is topreserve the incident while also preventing automatic playbook execution, the Link action is the only workflow that fulfills both requirements according to XSOAR’s pre-process rule architecture. Thus, optionDis correct.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit