Subflow 2.2- Check for Case Duplicates
The Subflow 2.2 - Check for Case Duplicates plays an essential role in the Subflow 2 - Create Case process by ensuring no duplicate cases are created. It works closely with 2.1 Subflow- Get Duplication Rule Workflow, which provides the deduplication rules, to check if an alert matches an existing case. Together, these subflows help streamline case creation by reducing duplicates and keeping the system clean and efficient.
How Subflow 2.2 Works:
Setup and Preparation
The subflow starts by setting variables to "no duplicate case found" and calculating how far back to search for duplicates (the "Case Look Back Period").Checking for Duplicates
Name-Based Check:
If the deduplication rule prioritizes the alert’s name, the subflow runs a query to find cases with the same name. If a match is found, it updates variables with the duplicate case details.
Observable-Based Check:
If the rule uses observables (like "File Hash" or "URL"), the subflow searches for cases linked to those observables. Matching cases are flagged as duplicates, and their details are saved.
Link to 2.1 Subflow- Get Duplication Rule Workflow
The deduplication parameters used (e.g.,
"Name"
or specific observables) are provided by 2.1 Subflow- Get Duplication Rule Workflow, which selects the rules from the Deduplication Table
Example in Action:
Imagine an alert with:
- Name: "Suspicious File Upload"
- Observables:
File Hash: SHA256: abc123...
andIP Address: 192.168.1.1
- Subflow 2.1 Rule:
The deduplication rule prioritizes "File Hash." - Subflow 2.2 Check:
The subflow searches for cases with the file hash (SHA256: abc123...
). If a match is found, it updates the case details. - Result:
If no duplicates are found, the alert moves forward to either link to an existing case in Subflow 2.3 or create a new case.