- Automation Management
- Automation Management Permissions
- Automation Management Playbooks
- Automation Management Playbook Triggers
- Pre-Built Automation Management Playbooks
- Automation Management Advanced Playbooks
- Automation Management Rule-Based Playbooks
- Filter Automation Management Playbooks
- Find Automation Management Playbooks
- Enable or Disable an Automation Management Playbook
- Reorder an Automation Management Playbook
- Delete an Automation Management Playbook
- Automation Management Services
- Automation Management Actions
- Create an Automation Management Action
- Clone an Automation Management Action
- Edit an Automation Management Action
- Deploy an Automation Management Action
- Preview Automation Management Action Code
- View Automation Management Action Run History
- View Automation Management Action Version History
- View Automation Management Action Audit Log
- Delete an Automation Management Action
- Refresh Automation Management Action List
- Automation Agents
Merge Phishing Detection Engine Cases Pre-Built Playbook
Merge cases with phishing detections in a 14-day period using the Merge Phishing Detection Engine Cases pre-built playbook.
The Threat Center pre-built Phishing Rule detection grouping rule first groups phishing rule detections with the same email subject into a new case during a 24-hour window. After 24 hours, the Merge Phishing Detection Engine cases playbook merges any newly created cases containing phishing rule detections with the same email subject back into the oldest case in a 14-day period.
During the 14-day period, all cases whose phishing detections have the same email subject are merged into the oldest case in the 14-day period. After 14 days, the cycle repeats: the first case containing phishing rule detections with the same email subject in the new 14-day period is considered the first instance of a unique group, and all subsequent related cases are merged into that case.
Unlike the other pre-built playbooks, the pre-built Merge Phishing Detection Engine cases playbook is disabled by default. To activate it, you must enable it, then order it at the top of the list of playbooks.
Playbook Logic
The Merge Phishing Detection Engine Cases pre-built playbook has the Case created trigger. If the playbook is enabled, the playbook automatically runs when a case is created.
The playbook runs a branch to one. In this branch to one:
Default – If the other branch is false, nothing is executed.
Branch 1 – If the case contains phishing rule detections and the phishing detections have the same email subject as the detections in an existing case in an ongoing 14-day period, the playbook merges the new case and the existing case.
During the merge, the new case is merged into the existing case. All notes and file attachments are copied to the existing case and the associated alert is linked to the existing case. Then, the new case is deleted.