You can use Duplication Rules to identify new email, enrichment data, or field maps with active duplicate records and process them appropriately.

1. Navigate to Security Operations > Duplication Rules .
2. Click New.
3. Fill in the fields on the form, as appropriate:

   Table 1. Duplication rule

   Field	Description
   Name	The name of the duplication rule.
   Table	Table where records are created and used to determine duplication.
   Identifying fields	Select a set of fields that indicate a duplicate security incident, observable, vulnerability, and so on, when the values in these fields are identical.
   Duplicate action	Governs how to handle duplicate emails. Choices are: Create as child Creates a record as a child of the original. The field linking the child to the parent is the Parent field. Do not create nor update records (default) Does nothing. Ignores duplicates. Update duplicate record Updates the fields in the existing record as specified in Duplication Actions. Note: If you choose Update duplicate record, the Duplication Actions related list appears.
   Active	Select this check box to activate the rule.
   Description	Describes the purpose and application of this duplication rule; when it should be used, for example a rule designed for IP-based observable, or security incidents from the firewall.

4. Right-click in the record header and select Save or click Update.
5. To set duplication actions, if you have chosen Update duplicate record, click New to create duplication actions for each field you want to update in the incident.
6. Fill in or edit the fields on the form, to describe how to update the field:

   Table 2. Duplication actions

   Field	Description
   Field	The name of the field to use for the duplication action.
   Action	The actions supported vary by field type. Choices are: Update this field with the new value Replaces the previous value in the existing record with this value. Append the new value to a comma separated list, if unique Treats the value as an entry in a comma-separated list and adds the new data (if any) as a new entry in that list. If the data is already in the list, it is not added twice. Append the new value to this field Appends the new value to the end of the existing text in the field. Add one to a counter field Adds one to the numeric field. Set the field to today Sets the field to the current date and time. Append to related list Adds the related record with this value to the related list of the current record. Appears when there is a many-to-many table, with a column of the same type, linked to the table being updated. For example, Affected CI or Affected User.
   Relationship	[Optional] This field appears only when the Append to related list action is chosen. It is the name of the related list you want to associate with this rule.
   Duplication rule	Rule that this action is part of.
   Table	Table where records are created. Displays as information only.
   Active	Select this check box to activate the action.

   

7. Click Submit.