The Subflow 2.3 - Link Alert to Existing Case is an important part of the “On New Table Record - Process Alert” workflow and directly supports Subflow 2 - Create Case. Its main role is to determine if an incoming alert should be linked to an existing case or if a new case needs to be created. This prevents duplication, keeps the case management system organized, and ensures alerts are grouped appropriately. Additionally, it updates the case’s severity when necessary, helping analysts prioritize and respond effectively.

How It Works:

Once the alert has been processed and deduplicated (via the Subflow 2.1 - Get Duplication Rule Workflow and the Subflow 2.2 - Check for Case Duplicates), Subflow 2.3 - Link Alert to Existing Case steps in to link the alert to the most relevant existing case. If the alert is identified as a duplicate, this subflow uses key observables (such as “File Hash,” “IP Address,” or “URL”) to search for an existing case that matches the alert’s details. For example, if the alert contains an observable like File Hash: SHA256: abc123... or an IP address, the subflow will search for cases with the same observables.

Once the relevant case is identified, Subflow 2.3 - Link Alert to Existing Case links the alert to that case. This helps to maintain organized case management by consolidating related alerts into one case, preventing redundancy. Additionally, if the alert’s severity is higher than the linked case’s severity, the subflow updates the case’s severity to match the alert’s, ensuring the case reflects the highest level of urgency.

Example in Action:

  • Alert:
    • An alert with the observable File Hash: SHA256: abc123... and severity High is processed.
  • Linking Process:
    • Subflow 2.3 - Link Alert to Existing Case searches for a case that contains the same file hash. If an existing case is found, the alert is linked to it. If the alert’s severity is higher than the case’s severity, the case severity is updated to High.