check-duplicates

Name: check-duplicates
Author: dandye/ai-runbooks

$npx mdskill add dandye/ai-runbooks/check-duplicates

Identify potential duplicate or similar security incidents before deep analysis to prevent redundant investigation.

Avoid wasting time investigating the same security event multiple times.
Interacts with the underlying SIEM/SOAR platform to query case data.
Compares a provided case ID against other records based on identifiers and timeframes.
Returns a list of related case identifiers and the status of the comparison.

SKILL.md

.github/skills/check-duplicatesView on GitHub ↗

---
name: check-duplicates
description: "Check for duplicate or similar cases. Use before deep analysis to avoid investigating the same incident twice. Takes a CASE_ID and returns list of similar cases."
required_roles:
  soar: roles/chronicle.editor
personas: [tier1-analyst, tier2-analyst, tier3-analyst]
---

# Check Duplicates Skill

Identify potentially duplicate or similar existing cases before starting deep analysis.

## Inputs

- `CASE_ID` - The ID of the current case to check
- `ALERT_GROUP_IDENTIFIERS` - Alert group identifiers for the case
- *(Optional)* `DAYS_BACK` - How many days to search back (default: 7)
- *(Optional)* `INCLUDE_OPEN` - Include open cases (default: true)
- *(Optional)* `INCLUDE_CLOSED` - Include closed cases (default: false)

## Workflow

### Step 1: Execute Similarity Check

```
secops-soar.siemplify_get_similar_cases(
    case_id=CASE_ID,
    alert_group_identifiers=ALERT_GROUP_IDENTIFIERS,
    days_back=DAYS_BACK,
    include_open_cases=INCLUDE_OPEN,
    include_closed_cases=INCLUDE_CLOSED
)
```

### Step 2: Process Results

Extract the list of similar case IDs from the response.

## Outputs

| Output | Description |
|--------|-------------|
| `SIMILAR_CASE_IDS` | List of case IDs identified as potentially similar/duplicate |
| `SIMILARITY_CHECK_STATUS` | Success/failure status of the check |

## Usage Pattern

```
1. Check duplicates BEFORE enrichment
2. If duplicates found:
   - Review similar case(s)
   - If confirmed duplicate: close as duplicate
   - If related but distinct: note correlation, continue
3. If no duplicates: proceed with analysis
```

## When Duplicates Are Found

If `SIMILAR_CASE_IDS` is not empty:

1. Document: "Closing as duplicate of [Similar Case ID]"
2. Close with:
   - Reason: `NOT_MALICIOUS`
   - Root cause: `Similar case is already under investigation`

More from dandye/ai-runbooks

Skill	Description
analyze-content-gaps	Identify content gaps and organizational opportunities. Analyzes missing content areas, redundancies, and consolidation opportunities.
audit-content	Comprehensive content quality and maintenance assessment. Evaluates documentation quality, relevance, maintenance needs, and provides actionable recommendations.
close-case-artifact	"Close a case or alert with proper reason and documentation. Use when triage determines an alert is FP/BTP or investigation is complete. Requires artifact ID, type, closure reason, and root cause."
cluster-documents	Automated content similarity and grouping analysis. Groups related documents by topic, purpose, or content similarity.
confirm-action	"Ask the user to confirm before taking a significant action. Use before containment, remediation, or other impactful operations to ensure analyst approval. Presents options and waits for response."
correlate-ioc	"Check for existing SIEM alerts and case management entries related to IOCs. Use to understand if an indicator has triggered previous alerts or is part of ongoing investigations. Takes IOC list and returns related alerts and cases."
deep-dive-ioc	"Perform exhaustive analysis of a critical IOC. Use when an IOC needs Tier 2+ investigation beyond basic enrichment - includes GTI pivoting, deep SIEM searches, correlation with related entities, and threat attribution. For escalated IOCs requiring comprehensive investigation."
design-metadata-schema	Design comprehensive metadata frameworks. Develops structured metadata templates and tagging systems.
document-in-case	"Add a comment to a case to document findings, actions, or recommendations. Use to maintain audit trail during investigations. Requires CASE_ID and comment text."
enrich-ioc	"Enrich an IOC (IP, domain, hash, URL) with threat intelligence. Use when you need to look up reputation and context for an indicator using GTI and SIEM. Returns threat intel findings, SIEM entity summary, and IOC match status."