v9.0

Deduplication Rules define how the system detects and groups repeated alerts that represent the same underlying issue. Instead of creating a new case for every incoming alert, the system uses these rules to decide whether an alert should be attached to an existing case.

This reduces alert fatigue, prevents redundant case creation, and helps analysts focus on investigating unique incidents. Users can configure deduplication rules based on fields like alert type, source, severity, or custom attributes — allowing for precise control over how alerts are consolidated into cases.


How to Create a Deduplication Rule

1

Navigate to Case Management Settings

In Case Management Settings click on the “Deduplication Rules” tab, under the General Settings section.

2

Click 'New Rule' button

located in the top-right corner of the page.

3

Fill out the following parameters:

If the required vendor, is not available in the predefined list, you can create a custom one in the Case Management Settings.
ParameterDescription
Rule NameProvide a unique name for the deduplication rule.
DescriptionProvide a brief description for the deduplication rule
VendorsSpecify the vendor the rule targets- e.g., Microsoft Outlook, Crowdstrike or Proofpoint . You can select one or multiple vendors. If no vendors are selected, all vendors from the list will be included by default.
Alert NameEnter the name of the alert to which this rule will apply.
Use RegexUse regex to indicate a matching criteria.
Lookback PeriodThe time frame, in days, during which past cases will be considered as duplicates for the specified rule.
Deduplication ConditionThe condition for applying the deduplication rule
4

Save the Newly Created Rule

After filling in the required fields, click the Save button. Your new deduplication rule will appear in the table, listed alongside existing deduplication rules.

5

Deduplication Rule Assignment

The Case Deduplication Action will then automatically select the most suitable deduplication rule for each incoming alert.


Alert Name Syntax Rules

  1. If the ‘Alert Name’ input is left blank, the ‘Extract Observable Rules’ will be applied to all alerts.

  2. When matching alert names, the system prioritizes the longest matching string. Exact matches take precedence over regular expression (regex) patterns.

  3. The Alert Name field in ‘Extract Observable Rule’ supports Regular Expressions (Regex), allowing you to define flexible matching patterns. This enables dynamic grouping and processing of similar alerts — even when alert names contain varying formats, dynamic elements like timestamps or IDs, or share common prefixes or suffixes.


Deduplication Conditions

Deduplication Conditions let you define the logic used to detect duplicate alerts, observables or relations.

Each deduplication rule can include multiple conditions, and these conditions are combined using the AND operator — meaning all conditions in the rule must be true for a match.

When you define multiple rules, they are combined using the OR operator — meaning if any one rule matches, the alert is considered a duplicate.

  • To mark something as a duplicate only when all specific criteria are met, include all those conditions in a single rule.
  • To mark something as a duplicate if it meets any one of several criteria, create a separate rule for each.

Condition Statement Options

  1. When a case contains an

    • Alert with the same name: This condition checks if an incoming alert has the same name as an alert already linked to an existing case.
  2. When a case contains:

    • all observables of all types and any relation: This condition checks if all observables (regardless of type or relation) from the incoming alert are already present in a case. If even one observable is missing, the condition won’t match.
    • all observables of type (X) and relation (Y): This condition checks whether all observables of a certain type (e.g., IP Address, Hash, Domain) and with a specific relation (e.g., Source, Destination, Executed By) from the alert are already linked to an existing case. If all observables that meet both the type and relation match are found in the case, it is considered a duplicate.
  3. When a case contains:

    • some observables any type and any relation -This condition checks whether at least one observable — regardless of its type or relation — from the alert already exists in a case.
    • some observables of type (X) and relation (Y): This condition checks checks if at least one observable of a specific type and relation from the incoming alert is already in an existing case.

Then: (If all above conditions are satisfied)link the alert and its observables to that case.


Deduplication Rule Use Case Examples