Create duplication rules in Security Operations You can use Duplication Rules to identify new email, enrichment data, or field maps with active duplicate records and process them appropriately. Before you beginRole required: sn_sec_cmn.write Procedure Navigate to Security Operations > Duplication Rules . Click New. Fill in the fields on the form, as appropriate: Table 1. Duplication rule Field Description Name The name of the duplication rule. Table Table where records are created and used to determine duplication. Identifying fields Select a set of fields that indicate a duplicate security incident, observable, vulnerability, and so on, when the values in these fields are identical. Duplicate action Governs how to handle duplicate emails. Choices are: Create as child Creates a record as a child of the original. The field linking the child to the parent is the Parent field. Do not create nor update records (default) Does nothing. Ignores duplicates. Update duplicate record Updates the fields in the existing record as specified in Duplication Actions.Note: If you choose Update duplicate record, the Duplication Actions related list appears. Active Select this check box to activate the rule. Description Describes the purpose and application of this duplication rule; when it should be used, for example a rule designed for IP-based observable, or security incidents from the firewall. Right-click in the record header and select Save or click Update. To set duplication actions, if you have chosen Update duplicate record, click New to create duplication actions for each field you want to update in the incident. Fill in or edit the fields on the form, to describe how to update the field: Table 2. Duplication actions Field Description Field The name of the field to use for the duplication action. Action The actions supported vary by field type. Choices are: Update this field with the new value Replaces the previous value in the existing record with this value. Append the new value to a comma separated list, if unique Treats the value as an entry in a comma-separated list and adds the new data (if any) as a new entry in that list. If the data is already in the list, it is not added twice. Append the new value to this field Appends the new value to the end of the existing text in the field. Add one to a counter field Adds one to the numeric field. Set the field to today Sets the field to the current date and time. Append to related list Adds the related record with this value to the related list of the current record. Appears when there is a many-to-many table, with a column of the same type, linked to the table being updated. For example, Affected CI or Affected User. Relationship [Optional] This field appears only when the Append to related list action is chosen. It is the name of the related list you want to associate with this rule. Duplication rule Rule that this action is part of. Table Table where records are created. Displays as information only. Active Select this check box to activate the action. Click Submit.