Thank you for your feedback.
Form temporarily unavailable. Please try again or contact to submit your comments.

Create duplication rules in Security Operations

Log in to subscribe to topics and get notified when content changes.

Create duplication rules in Security Operations

You can use Duplication Rules to identify new email, enrichment data, or field maps with active duplicate records and process them appropriately.

Before you begin

Role required: sn_sec_cmn.write


  1. Navigate to Security Operations > Duplication Rules .
  2. Click New.
  3. Fill in the fields on the form, as appropriate:
    Table 1. Duplication rule
    Field Description
    Name The name of the duplication rule.
    Table Table where records are created and used to determine duplication.
    Identifying fields Select a set of fields that indicate a duplicate security incident, observable, vulnerability, and so on, when the values in these fields are identical.
    Duplicate action Governs how to handle duplicate emails. Choices are:
    Create as child
    Creates a record as a child of the original. The field linking the child to the parent is the Parent field.
    Do not create nor update records
    (default) Does nothing. Ignores duplicates.
    Update duplicate record
    Updates the fields in the existing record as specified in Duplication Actions.
    Note: If you choose Update duplicate record, the Duplication Actions related list appears.
    Active Select this check box to activate the rule.
    Description Describes the purpose and application of this duplication rule; when it should be used, for example a rule designed for IP-based observable, or security incidents from the firewall.
  4. Right-click in the record header and select Save or click Update.
  5. To set duplication actions, if you have chosen Update duplicate record, click New to create duplication actions for each field you want to update in the incident.
  6. Fill in or edit the fields on the form, to describe how to update the field:
    Table 2. Duplication actions
    Field Description
    Field The name of the field to use for the duplication action.
    Action The actions supported vary by field type.
    Choices are:
    Update this field with the new value
    Replaces the previous value in the existing record with this value.
    Append the new value to a comma separated list, if unique
    Treats the value as an entry in a comma-separated list and adds the new data (if any) as a new entry in that list. If the data is already in the list, it is not added twice.
    Append the new value to this field
    Appends the new value to the end of the existing text in the field.
    Add one to a counter field
    Adds one to the numeric field.
    Set the field to today
    Sets the field to the current date and time.
    Append to related list
    Adds the related record with this value to the related list of the current record. Appears when there is a many-to-many table, with a column of the same type, linked to the table being updated.

    For example, Affected CI or Affected User.

    Relationship [Optional] This field appears only when the Append to related list action is chosen. It is the name of the related list you want to associate with this rule.
    Duplication rule Rule that this action is part of.
    Table Table where records are created. Displays as information only.
    Active Select this check box to activate the action.
    Duplication actions with relationship
  7. Click Submit.
    Duplication rule