What it does

This skill runs a similarity lookup for a given CASE_ID and optional alert-group identifiers to identify existing cases that may be duplicates or closely related. It queries the incident/case store (via a secops SOAR helper) and extracts SIMILAR_CASE_IDS and a check status. Use it to avoid re-investigating incidents that have already been handled or to surface related context quickly.

When to use it

Run this skill early in an investigation workflow — before enrichment or deep analysis — whenever you receive a new case ID or alert bundle. It is especially useful for high-volume environments where duplicates are common and for triage workflows that need to avoid wasted analyst time.

What's included

Scripts: none embedded in the SKILL.md, but the workflow shows a call to secops-soar.siemplify_get_similar_cases
References: none
Instructions: the SKILL.md provides input names (CASE_ID, ALERT_GROUP_IDENTIFIERS, DAYS_BACK, INCLUDE_OPEN/CLOSED), the expected outputs (SIMILAR_CASE_IDS, SIMILARITY_CHECK_STATUS), and a short usage pattern describing actions to take if duplicates are found (close as duplicate, document correlation, or proceed).