Detailed Explanation of Subflow 2.1 - Get Duplication Rule Workflow
If you are using Case Management version 9.0, you should refer to this page
The Subflow 2.1 - Get Duplication Rule Workflow streamlines the Subflow 2 - Create Case process by identifying and applying the right deduplication rule for incoming alerts. It checks the Deduplication Table to filter out duplicates, combining repetitive alerts into a single case. This keeps the system efficient and ensures only unique alerts move forward.
Identify Specific Deduplication Rules
When an alert is processed, the subflow first checks for a specific deduplication rule linked to the alert type in the Deduplication Table.
Apply Parameters for Comparison
If a rule is found, the subflow retrieves the defined parameters, such as observables like “URL,” “IP Address,” or “File Hash,” and compares them against existing alerts.
Handle Unspecified Rules
If no specific rule exists, the subflow applies a default rule based on a priority hierarchy.
If the deduplication parameter is set to “None,” deduplication is disabled for that alert type.
Alert with Observables:
An alert contains a suspicious URL (http://evil.com) and a file hash (SHA256: abc123...).
Deduplication Process:
The subflow checks if other alerts with the same URL and file hash already exist. If a match is found, the alert is flagged as a duplicate. Otherwise, it is marked for case creation.