Tip: Consider the Following Questions
Navigate to Case Management Settings
Click 'New Rule' button
Fill out the following parameters:
Parameter | Description |
---|---|
Rule Name | Provide a unique name for the deduplication rule. |
Description | Provide a brief description for the deduplication rule |
Vendors | Specify the vendor the rule targets- e.g., Microsoft Outlook, Crowdstrike or Proofpoint . You can select one or multiple vendors. If no vendors are selected, all vendors from the list will be included by default. |
Alert Name | Enter the name of the alert to which this rule will apply. |
Use Regex | Use regex to indicate a matching criteria. |
Lookback Period | The time frame, in days, during which past cases will be considered as duplicates for the specified rule. |
Deduplication Condition | The condition for applying the deduplication rule |
Save the Newly Created Rule
Deduplication Rule Assignment
Example of Using Regex in an Alert Name
^
matches the beginning of the alert name.Critical Alert
matches the literal text.[0-9]+
matches one or more digits.$
matches the end of the alert name.
This would match:Critical Alert 123
Critical Alert 4567
Critical Alert
(no numbers)Info Alert 123
(doesn’t start with “Critical Alert”)AND
operator — meaning all conditions in the rule must be true for a match.
When you define multiple rules, they are combined using the OR
operator — meaning if any one rule matches, the alert is considered a duplicate.
Use Case Example: Deduplication Rule for Okta Brute Force Alerts
192.168.1.10
. Since there is no existing case that matches, a new case is created.At 14:10, another alert with the same name and same source IP is received. Because the deduplication rule is configured to:Use Case Example: Deduplication Rule for Duplicate File Alerts in ServiceNow
Key Considerations for Choosing Deduplication Parameters