If you are using Case Management version
9.0
, you should refer to this page
How It Works:
- Identify Specific Deduplication Rules
When an alert is processed, the subflow first checks for a specific deduplication rule linked to the alert type in the Deduplication Table. - Apply Parameters for Comparison
If a rule is found, the subflow retrieves the defined parameters, such as observables like “URL,” “IP Address,” or “File Hash,” and compares them against existing alerts. - Handle Unspecified Rules
- If no specific rule exists, the subflow applies a default rule based on a priority hierarchy.
- If the deduplication parameter is set to “None,” deduplication is disabled for that alert type.
Example
- Alert with Observables:
An alert contains a suspicious URL (http://evil.com
) and a file hash (SHA256: abc123...
). - Deduplication Process:
The subflow checks if other alerts with the same URL and file hash already exist. If a match is found, the alert is flagged as a duplicate. Otherwise, it is marked for case creation.