This document shows how Google SecOps makes the calculations to determine which cases the Recommendations widget shows and which cases the Siemplify Get Similar Cases action shows and why there are differences.

Recommendations widget

The platform looks for cases that have the same entities and the same rule generator in the last 30 days and 10 cases that have the most matched entities and rule generators in the latest 1000 cases.

Google SecOps calculates the results according to internal algorithms and selects 5 cases only.

The Recommendations widget in the Cases page shows the top 5 cases that have been selected.

Siemplify Get Similar Cases (SDK, playbook action, and manual action)

Similar cases are found using a combination of both filter and time period.

There are up to 4 values you can set in the filter and the cases have to match all the filters you set within the requested time period:

• Entity identifiers
• Category outcomes
• Ports
• Rule Generators

The results displayed show only the cases that match all the filter options you have set. For example, set the filter to include port 52 and Malware Detection rule generator within the last 6 days.The returned list of the cases with their relations including port 52 are: Case ID #2 and Case ID #5 and Case ID #9

The returned list of the cases that have an alert with Malware Detection rule generator are Case ID #5 and Case ID #9. Therefore, the results that are displayed in the platform to the user will show two cases: Case ID #5 and Case ID #9.

In general, the Get Similar Cases action can return up to 10,000 cases.