Deduplication Table
The Deduplication Table in the alert processing section is used to manage and configure deduplication rules for incoming alerts. Deduplication is the process of identifying and eliminating duplicate alerts to prevent redundant processing, allowing the system to focus on unique incidents. In this table, each entry specifies:
- Alert Name: The name or identifier for the alert type or condition.
- Product: The originating product or integration source of the alert.
- Dedup Parameters: The parameters used to determine if alerts are duplicates (e.g., using observables like "URL" or "File Hash" to compare incoming alerts).
- Rule Name: The specific rule applied for deduplication based on the parameters defined for each product.
This table allows administrators to customize deduplication rules for different alert sources, ensuring efficient alert management by consolidating repetitive alerts into single records. This reduces noise and helps maintain a clean and actionable alert feed within the case management system.
Alert Name Syntax
The alert name parameter is mutually exclusive with the other parameters in the Deduplication Table
If the
Name
parameter is selected as a deduplication parameter, it will cancel any other parameter and be used exclusively for the deduplication rule.The
%
symbol can be used wildcard in alert names means that you can substitute % for any sequence of characters. This allows you to match multiple alert names without needing to specify each one exactly.
:::
You can create your own deduplication rule by manually adding a new record to the Deduplication Table and filling in the necessary parameters.