Issue deduplication - Learn about how Cortex XDR deduplicates issues - Administrator Guide - Cortex XDR - Cortex - Security Operations

Deduplication is the process of grouping identical security events that occur on the same endpoint within a specific timeframe. Instead of generating a new entry for every recurring instance of a threat, the system consolidates them into a single actionable issue.

Deduplication is strictly applied to issues where the issue_name contains WildFire or Local Analysis. All other issue types are processed individually and will not be deduped.

The system generates a unique fingerprint or key for each incoming issue. If the key matches an existing active issue within the timeframe, the new event is deduped. The formula is as follows:

{agent_id}_{issue_name}_{hash_id}_{action_status}_{name}_{trigger}

Key components are resolved using a specific fallback hierarchy to ensure a match even if some data is missing:

The deduplication window is 1 hour. This is a sliding window that starts from the ingestion of the first issue. Identical events arriving within this 60-minute buffer are suppressed; events arriving after the window expires will trigger a new issue.

Deduplicated issues are often referred to as "hidden" issues because they do not appear as unique new rows in the issue table. Instead, they are aggregated into the initial "Parent" issue instance.

To identify if an issue was suppressed by the dedup logic, search for the primary issue using the following criteria within a 1-hour window before the timestamp of the expected issue:

If you find an issue matching these criteria that occurred less than 60 minutes prior, the "missing" issue has been successfully deduped into that existing entry.