If you are using Case Management version
9.0
, you should refer to this page
How Subflow 2.2 Works:
-
Setup and Preparation
The subflow starts by setting variables to “no duplicate case found” and calculating how far back to search for duplicates (the “Case Look Back Period”). -
Checking for Duplicates
- Name-Based Check: If the deduplication rule prioritizes the alert’s name, the subflow runs a query to find cases with the same name. If a match is found, it updates variables with the duplicate case details.
- Observable-Based Check: If the rule uses observables (like “File Hash” or “URL”), the subflow searches for cases linked to those observables. Matching cases are flagged as duplicates, and their details are saved.
-
Link to 2.1 Subflow- Get Duplication Rule Workflow
The deduplication parameters used (e.g.,
"Name"
or specific observables) are provided by 2.1 Subflow- Get Duplication Rule Workflow, which selects the rules from the Deduplication Table
Example in Action:
Imagine an alert with:- Name: “Suspicious File Upload”
- Observables:
File Hash: SHA256: abc123...
andIP Address: 192.168.1.1
- Subflow 2.1 Rule:
The deduplication rule prioritizes “File Hash.” - Subflow 2.2 Check:
The subflow searches for cases with the file hash (SHA256: abc123...
). If a match is found, it updates the case details. - Result:
If no duplicates are found, the alert moves forward to either link to an existing case in Subflow 2.3 or create a new case.