Create email duplication rules in Security Operations

You can use Duplication Rules to identify new email with active duplicate records and process them appropriately.

Before you begin

Role required: sn_sec_cmn.write

Procedure

  1. Navigate to Security Operations > Duplication Rules .
  2. Click New.
  3. Fill in the fields on the form, as appropriate:
    Table 1. Duplication rule
    Field Description
    Name The name of the duplication rule.
    Table Table where records are created and used to determine duplication.
    Identifying fields Select a set of fields that indicate a duplicate security incident, observable, vulnerability, and so on, when the values in these fields are identical.
    Application Scope of the application.
    Duplicate action Governs how to handle duplicate emails. Choices are:
    Create as child

    Creates a record as a child of the original. The field linking the child to the parent is specified as Parent field.

    Do not create nor update records
    (default) Does nothing. Ignores duplicates.
    Update duplicate record
    Updates the existing record's fields specified in Duplication Actions.
    Note: If you choose Update duplicate record, the Duplication Actions related list appears.
    Active Select this check box to activate the rule.
    Description Describes the purpose and application of this duplication rule, when it should be used – such as a rule designed for an IP-based observable, or security incidents from the firewall.
  4. Right-click in the record header and select Save or click Update.
  5. To set duplication actions, if you have chosen to Update duplicate record, click New to create duplication actions for each field you want to update in the incident.
  6. Fill in or edit the fields on the form, to describe how to update the field:
    Table 2. Duplication actions
    Field Description
    Field The name of the field to use for the duplication action.
    Action The supported actions vary by the field type. Choices are:
    Update this field with the new value
    Replaces the previous value in the existing record with this value.
    Append the new value to a comma separated list, if unique
    Treats the value as an entry in a comma-separated list and adds the new data (if any) as a new entry in that list. If the data is already in the list, it is not added twice.
    Append the new value to this field
    Appends the new value to the end of the existing text in the field.
    Add one to a counter field
    Adds one to the numeric field
    Set the field to today
    Sets the field to the current date and time.
    Append to related list
    Adds to the related record with this value to the related list of the current record. Appears when there is a many to many table, with a column of the same type, linked to the table being updated.

    For example, Affected CI or Affected User.

    Relationship [Optional] This field appears only when the Append to related list action is chosen. It is the name of the related list you want to associate with this rule.
    Duplication rule Rule that this action is part of.
    Table Table where records are created. Display as information only.
    Active Select this check box to activate the action.
    Duplication actions with relationship
  7. Click Submit.
    Duplication rule