Identify Similar Cases

When you're working on a case in LogicHub, the system can help you identify similar cases in the repository.

  • Two cases are similar if the same IP address, URL, or file hash is found in the description, case title, or both. The IP address, URL, and file hash are automatically extracted from the Summary field or case title.
  • The custom fields that are marked as ‘observable’ are compared for similarity. Two cases are similar if they have the same value for a given observable field.

Identify Similar Cases based on LogicHub Recommendations

Let's say you’re working on a case, and you want to know whether an IP address, URL, file hash, or other observable field value mentioned in your case matches those in any other cases.

  1. Go to Case Management > Cases and click on the case to view the matching cases.
  2. Click Search for Similar Cases under Linked Cases. A list of Similar Cases shows up that LogicHub has determined are similar based on observable fields. To know more about observable fields, see Manage Case Fields.

Link and Unlink Cases

To link a case, click Search for Similar Cases or Suggested Cases.

  1. Click Search for Similar Cases. You will see a list of similar cases for the current case.
  2. Select a case and click Link. A case will be linked to your current case.
  3. On the other hand, suggested cases will list all similar cases based on all observable fields.
  4. Click Suggested Cases tab to view the list of similar cases.
  5. Click Link and the case will be linked to your current case.
  6. After you link a similar case to the current case, the case will not be listed in suggested cases. All cases that are linked will be listed under Linked Cases.
  7. To unlink a case, click on the unlink icon.
  8. Click on the linked cases drop-down to expand and view the information about the case and similar observables.

Find Similar Cases based on the Value of a Custom Field

When creating a custom case field, the Is Observable option helps you identify cases that are similar to each other. Two cases having the same value for an observable field are considered similar.

To create a new field:

  1. Go to Settings > Case Settings on the left navigation.
  2. Click Fields > New Field.
  3. In the new field form, enter the field details and make sure to select the Is Observable checkbox, and click Save. To know more, see Manage Case Fields.

Identify Similar Observable Fields

To identify if the value of the observable field in your case matches the value of the observable field in other cases:

  1. Go to Case Management > Cases and open any case. Then, click Search for Similar Cases under the Linked Cases section.
    • A new page opens with a list of the observable fields and space to enter values on the left. The matching cases are shown in the middle of the page.
  2. You can match on multiple observable fields. Matches on multiple fields are always OR matches.
  3. Click on the Observables drop-down to add additional fields. To remove a field, hover over it and click X.
  4. The fraction in the Match column represents the number of fields with matching values divided by the total number of observable fields.
    • If you were matching on additional fields or if the case included IP address, URL, or file hash values automatically extracted, those matches would also be included in the list.
    • The controls on the right allow you to sort the list and apply priority or status filters. When you select controls on the right, the list of matching cases updates immediately.
  5. To link other cases to the current case and redisplay the current case, select the required cases and click Link.
    • Now when you expand the Linked Cases area, you can see the linked cases listed.

What's Next

🔗   Case Search


Did this page help you?