Create merge rules
To merge similar entities into a master entity, configure a merge entity rule.
Required fields are marked with an asterisk ( * ).
Name the rule
To create a new merge entity rule:
In the left navigation bar, go to Data configuration > Rules.
Click Entity > .
In the Create entity rule view, under Rule name enter a short and descriptive name for the rule.
It helps understand what the rule does and what its purpose is.In the Description field enter a short description to clarify the purpose of the rule, and the type of data it applies to.
This is helpful when the amount of rules users create in the Intelligence Center grows over time. A short description provides context, and it is a reminder of the reasons why the rule is in place.If you want to enable the rule immediately after saving it, select the Enabled checkbox.
Set selection criteria for the rule
In the Criteria selection section, define the data filtering criteria for the rule.
These settings filter the objects the rule acts on.
Select at least one criterion.
You can create complex filters by combining multiple criteria.
The available Criteria selection options you that can select and configure are:
To apply the rule only to specific entity types:
Click Criteria.
From the drop-down menu select Entity types.
Click Types to select one or more entity types to apply the rule to.
The rule applies the same actions to all selected entity types.
To remove a selection, go to the item(s) you want to remove, and click the cross icon .
To remove all selections at once, click the cross icon next to the drop-down menu arrow in the input field.
Alternatively, click Unselect all options.
To apply the rule only to entities matching specific content fields and values:
Click Criteria.
From the drop-down menu select Content criteria.
JSON path (Path)/regex (Value) key/value pairs define the content criteria the rule applies.Under Path, from the drop-down menu select an option to define where in the entity data structure the rule filter should search for data matching the regex data pattern.
The available options map to corresponding JSON paths in the JSON data structure representing entities in the Intelligence Center.In the Value field, define a regex to specify the data pattern the rule should use to filter matching content.
Click Add or More to insert new rows or input fields, as necessary, where you can enter additional key/value pairs for JSON fields and corresponding content you want to add to the filter.
To remove a selection, go to the item(s) you want to remove, and click the cross icon .
To apply the rule only to entities originating from a specific data source:
Click Criteria.
From the drop-down menu select Sources.
From the Source drop-down menu, select the data source for the filter.
Data sources can be existing incoming feeds and enrichers, as well as existing Intelligence Center user groups.To remove a selection, go to the item(s) you want to remove, and click the cross icon .
To apply the rule only to entities matching a specific TLP color code:
Click Criteria.
From the drop-down menu select TLPs.
From the TLPs drop-down menu, select one or more TLP color codes to apply to the filter.
The TLP filter returns exact matches.
The Boolean operator linking multiple TLP filter selections is OR: matching entities are flagged with any of the TLP color code values selected in the filter.
To remove a selection, go to the item(s) you want to remove, and click the cross icon .
To remove all selections at once, click the cross icon next to the drop-down menu arrow in the input field.
Alternatively, click Unselect all options.
Define the merge action for the rule
In the Actions section, define the type of action the rule applies to entities matching the filtering criteria.
Select at least one action.
You can combine multiple actions to create a processing pipeline.
However, it is not possible to combine Merge similar with other actions.
To merge similar entities to a master entity:
Click Actions.
From the drop-down menu select Merge similar.
All entities matching all the conditions defined under Criteria selection are merged to a master entity.Under Master entity, click Add to select the master entity where all similar entities should be merged to.
In the Search an entity pop-up dialog, search for an entity to use it as a master:
Click an entity on the overview list to select it as the master entity.
Enter search terms, search queries, or JSON paths in the search field .
Apply quick filters to look for specific entity types; or entities from specific incoming feeds, enrichers, or datasets; or entities ingested within a given time range.
To confirm your master entity selection, click Select.
To remove a selected action from the rule configuration, click the corresponding .
For more information on entity merge rules, see About merging entities.
Save the rule
To store your changes, click Save; to discard them, click Cancel.
To access additional save options, click the down arrow on the Save button:
Click Save and new to save the current data or configuration for the item you are working on, and to create a new item of the same type right away.
For example, a new dataset, feed, policy, rule, task, or workspace.Click Save and duplicate to save the current data for the item you are working on, and to create a new prepopulated copy of the same item, which you can use as a template or a blueprint to speed up repetitive manual work.