2.1 Subflow- Get Duplication Rule Workflow
The Subflow 2.1 - Get Duplication Rule Workflow streamlines the Subflow 2 - Create Case process by identifying and applying the right deduplication rule for incoming alerts. It checks the Deduplication Table to filter out duplicates, combining repetitive alerts into a single case. This keeps the system efficient and ensures only unique alerts move forward.
How It Works:
- Identify Specific Deduplication Rules
When an alert is processed, the subflow first checks for a specific deduplication rule linked to the alert type in the Deduplication Table. - Apply Parameters for Comparison
If a rule is found, the subflow retrieves the defined parameters, such as observables like "URL," "IP Address," or "File Hash," and compares them against existing alerts. - Handle Unspecified Rules
- If no specific rule exists, the subflow applies a default rule based on a priority hierarchy.
- If the deduplication parameter is set to "None," deduplication is disabled for that alert type.
Example
- Alert with Observables:
An alert contains a suspicious URL (http://evil.com
) and a file hash (SHA256: abc123...
). - Deduplication Process:
The subflow checks if other alerts with the same URL and file hash already exist. If a match is found, the alert is flagged as a duplicate. Otherwise, it is marked for case creation.