Skip to main content

2.1 Subflow- Get Duplication Rule Workflow

The Subflow 2.1 - Get Duplication Rule Workflow streamlines the Subflow 2 - Create Case process by identifying and applying the right deduplication rule for incoming alerts. It checks the Deduplication Table to filter out duplicates, combining repetitive alerts into a single case. This keeps the system efficient and ensures only unique alerts move forward.

Thumbnail

How It Works:

  1. Identify Specific Deduplication Rules
    When an alert is processed, the subflow first checks for a specific deduplication rule linked to the alert type in the Deduplication Table.
  2. Apply Parameters for Comparison
    If a rule is found, the subflow retrieves the defined parameters, such as observables like "URL," "IP Address," or "File Hash," and compares them against existing alerts.
  3. Handle Unspecified Rules
    • If no specific rule exists, the subflow applies a default rule based on a priority hierarchy.
    • If the deduplication parameter is set to "None," deduplication is disabled for that alert type.

Example

  • Alert with Observables:
    An alert contains a suspicious URL (http://evil.com) and a file hash (SHA256: abc123...).
  • Deduplication Process:
    The subflow checks if other alerts with the same URL and file hash already exist. If a match is found, the alert is flagged as a duplicate. Otherwise, it is marked for case creation.