Alert Processing
Subflow 2.3 - Link Alert to Existing Case
Detailed Explanation of Subflow 2.3 - Link Alert to Existing Case
If you are using Case Management version
9.0, you should refer to this page
How It Works:
Once the alert has been processed and deduplicated (via the Subflow 2.1 - Get Duplication Rule Workflow and the Subflow 2.2 - Check for Case Duplicates), Subflow 2.3 - Link Alert to Existing Case steps in to link the alert to the most relevant existing case. If the alert is identified as a duplicate, this subflow uses key observables (such as “File Hash,” “IP Address,” or “URL”) to search for an existing case that matches the alert’s details. For example, if the alert contains an observable likeFile Hash: SHA256: abc123... or an IP address, the subflow will search for cases with the same observables.
Once the relevant case is identified, Subflow 2.3 - Link Alert to Existing Case links the alert to that case. This helps to maintain organized case management by consolidating related alerts into one case, preventing redundancy. Additionally, if the alert’s severity is higher than the linked case’s severity, the subflow updates the case’s severity to match the alert’s, ensuring the case reflects the highest level of urgency.
Example in Action:
- Alert:
- An alert with the observable
File Hash: SHA256: abc123...and severityHighis processed.
- An alert with the observable
- Linking Process:
- Subflow 2.3 - Link Alert to Existing Case searches for a case that contains the same file hash. If an existing case is found, the alert is linked to it. If the alert’s severity is higher than the case’s severity, the case severity is updated to
High.
- Subflow 2.3 - Link Alert to Existing Case searches for a case that contains the same file hash. If an existing case is found, the alert is linked to it. If the alert’s severity is higher than the case’s severity, the case severity is updated to