Alert deduplication - Learn about how Cortex XSIAM deduplicates alerts - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Deduplication is the process of grouping identical security events that occur on the same endpoint within a specific timeframe. Instead of generating a new entry for every recurring instance of a threat, the system consolidates them into a single actionable alert.

Deduplication is strictly applied to alerts where the alert_name contains WildFire or Local Analysis. All other alert types are processed individually and will not be deduped.

The system generates a unique fingerprint or key for each incoming alert. If the key matches an existing active alert within the timeframe, the new event is deduped. The formula is as follows:

{agent_id}_{alert_name}_{hash_id}_{action_status}_{name}_{trigger}

Key components are resolved using a specific fallback hierarchy to ensure a match even if some data is missing:

The deduplication window is 1 hour. This is a sliding window that starts from the ingestion of the first alert. Identical events arriving within this 60-minute buffer are suppressed; events arriving after the window expires will trigger a new alert.

Deduplicated alerts are often referred to as "hidden" alerts because they do not appear as unique new rows in the alert table. Instead, they are aggregated into the initial "Parent" alert instance.

To identify if an alert was suppressed by the dedup logic, search for the primary alert using the following criteria within a 1-hour window before the timestamp of the expected alert:

If you find an alert matching these criteria that occurred less than 60 minutes prior, the "missing" alert has been successfully deduped into that existing entry.