Levels of De-Duplication

  • Do you have an external service provider that sends in the same alert multiple times
  • Or a ‘Smart Next Gen’ device that repeats alerts as it isn’t actually that smart
  • Or users that submit a ticket twice if you don’t reply within 1 minute

These are great use-cases for ticket de-duplication, however the definition of duplication might vary, e.g.

  • Some duplicated alerts have the same time stamp (e.g. a resend)
  • Some duplicated alerts have a different timestamp as the service is not stateful “it’s 13:00 and I’m still seeing this issue”.
  • The unique key attribute might be a compound, IP+CVEE (eg. vulnerability mapping)
  • The unique attributes might be auth login name + service (e.g. VPN brute force attempt from different source IP)
  • Time bound grouping, so a 5 min break signifies a new unique alert
  • …Or other

There are many ways to handle different types of duplication, each with different benefits.  I’ve listed some examples here, from most aggressive duplication removal to the most passive.

Drop new ticket completely, no evidence saved (aggressive dedupe)

Simplest and quickest, great for low severity tickets noise

Drop the new ticket but add a comment to existing ticket

Helps with tracking frequency of events and timings for audit, but without the extra workload of extra tickets for your team to analyse and close

Create a new ticket as a child ticket

Each new ticket is logged as an independent ticket but becomes a child of the first ticket so they can share data. Though this ‘child’ gets it’s own workplan and playbook execution.

Create new ticket and link them

Each alert is an independent ticket that requires closing, however the tickets are linked in the database allowing analysts to track the relations and quickly visit them all

Create a new ticket and add a note in old ticket (with a quick-button ‘click here to close’)

Or maybe create the new ticket and just add a comment to the first to say “hey I might be related, but I’m not sure”.  The playbook would encourage the analyst to check off all potential links before closing the ticket.

Create the ticket regardless (mininal dedupe)

This scenario actually has no dedupe functionality and tickets are not checked.  However the platform proactively suggests similar tickets (using Machine Learning to look for IP addresses, IOC, email addresses, etc.) that an analyst might want to check out.

So there you go, many ways to make automation even more automated !!

Andy

Leave a Reply