Identify Similar Cases

When you're working on a case in LogicHub, the system can help you identify other cases that are similar.

  • IP address, URL, and file hash are automatically extracted from the description and case title. Two cases are similar if the same IP address, URL, or file hash is found in the description, case title, or both.
  • Custom fields that are marked as ‘observable’ are compared for similarity. Two cases are similar if they have the same value for a given observable field.

Identify similar cases based on LogicHub recommendations

Suppose you’re working on a case and you want to know whether an IP address, URL, file hash, or other observable field value mentioned in your case matches those in any other cases. To find out, select Case Management > Cases and click the case to select it.

Expand the Linked Cases section if needed to show the Linked and Suggested tabs. The Suggested tab lists the cases that LogicHub has determined are similar based on all observable fields, including auto extracted observables (IP addresses, URLs and file hashes).

Link and Unlink Cases

To link a suggested case to the current case, click Link. This action moves the case to the Linked tab. To unlink, click Unlink on the Linked tab.

To display the details of the similarity between a suggested or linked case and the current case, click the case ID on the Linked or Suggested tab. The entry expands to show information about the case and all of the observables that are similar.

To open the case record for a similar case, click its name on the Linked or Suggested tab. If the case has been linked, the case that it was linked from is listed in the Linked tab.

Search for Similar Cases

If you can't make the connections that you’re interested in based on the suggested cases, you can extend your search for similar cases. On the Linked or Suggested tab, click Search for Similar Cases.

Find Similar Cases based on the Value of a Custom Field

When creating a custom case field, the ‘is Observable’ option helps you identify cases that are similar to each other. Two cases having the same value for an observable field considered as similar.

In the following example, the Location field is marked as observable when it is created.

Suppose you’re working on a case and you want to know whether the value of the Location field in your case matches the value of the Location field in any other cases. To find out, select Case Management > Cases and click the case to select it. Then expand the Linked Cases section and click Search for Similar Cases.

A new page opens with a list of the observable fields and space to enter values on the left. The matching cases are shown in the middle of the page.

You can match on multiple observable fields. Matches on multiple fields are always OR matches. To add additional fields, click in the Observables area on the left. To remove a field, hover over it and click X.

The fraction in the Match column represents the number of fields with matching values divided by the total number of observable fields. If you were matching on additional fields or if the case included IP address, URL, or file hash values that were automatically extracted, those matches would also be included in the list.

In the following example, values have been entered for an additional observable field. For the first two listed cases, the Match column shows 2/2 for each, indicating that there are 2 matches (the Location and Network Call values) out of the 2 observable fields. For the last case, the Match column is 1/2, indicating that the case (LHUB-1199) matches one of the observable fields.

The controls on the right allow you to sort the list and apply priority or status filters. When you select controls on the right, the list of matching cases updates immediately.

To link other cases to the current case and redisplay the current case, select the checkboxes for the cases of interest and click Link.

Now when you expand the Linked Cases area, you can see the linked cases listed.


Did this page help you?