# Alert Deduplication Security vendors, particularly network (IDS/IPS) and DLP tools, frequently generate large volumes of near-identical alerts for the same underlying event or repeated occurrences within a short time window. Without deduplication, these redundant alerts clutter the alert queue, waste analyst time, and create performance bottlenecks in the triage pipeline. Radiant addresses this by applying a deduplication step *after* alert filtering and *before* AI triage, collapsing duplicate alerts from the same data feed into a single primary alert without losing the fidelity of the original data.
### How deduplication works When a new alert comes in from a connector, for example, one flagging suspicious activity on a particular host, it goes through the normal triage process and becomes the **Initial alert**. If, shortly after, nearly identical alerts start arriving from the same data source and related to that same host with that same action, Radiant recognizes them as duplicates. From the second matching alert onwards, instead of creating new, separate alert entries, the AI **appends the raw alert data directly to that initial alert**. The underlying data is also stored in the Log Management for further investigation. This grouping stays active during an **open time window** of 3 days - any additional alerts that match the same criteria during that period will continue to be consolidated under that same initial alert. Deduplicate logic and time windows can be customized and tuned with the help of Radiant Success team. ### The deduplication count Customers can track how many alerts have been deduplicated in two places: * **From the Alerts table** on the main Alerts page, a dedicated column shows the total number of deduplicated alerts associated with each initial alert. * **From within the Alert page itself**, a tag shows **"N duplicate alerts."** Clicking it opens a side panel with detailed deduplication information. ### The deduplication logic Deduplication rules are crafted and refined by Radiant's security experts based on the vendor and alert type, ensuring that consolidation logic reflects real-world attack patterns and minimizes the risk of masking distinct threats. Each rule is composed of two query layers: * **Base Condition** - defines which alerts are eligible for deduplication (e.g., "all alerts where a threat name is present") * **Match Condition** - defines the specific field combination that must be identical across alerts for them to be consolidated under the initial alert (e.g., "same machine, same detector, same threat name") The **deduplication logic** can be customized for your environment with the help of Radiant Success team. {% hint style="info" %} **Note:** The Match Condition values shown in the examples below are illustrative. In practice, these values are dynamically populated with the specific identifiers from the initial alert - such as the actual user ID, machine ID, or hostname observed in your environment. {% endhint %} ## Deduplication logic examples ### Microsoft Office 365 - Identity Risk Consolidates repeated identity risk alerts triggered by the same user from the same IP address. * **Query condition:** {% code overflow="wrap" %} ```powerquery ipAddress:* "userId":"user-id" AND "ipAddress":"192.168.1.100" AND "riskEventType":"unfamiliarFeatures" ``` {% endcode %} * **What this means:** Once an identity risk alert is triaged for a specific user and IP address, subsequent alerts sharing the same user ID, IP address, and risk event type are consolidated under the initial alert for the duration of the consolidation window. ### Microsoft Defender for Endpoint - Threat Detection * **Query condition:** {% code overflow="wrap" %} ```powerquery NOT threatName:'null' "machineId":"machine-id" AND "detectorId":"detector-id" AND "threatName":"malware-name" ``` {% endcode %} * **What this means:** Once a threat detection alert is triaged for a specific machine and detector combination, subsequent alerts from the same detector on the same machine with the same threat name are consolidated under the initial alert. ### **Darktrace - Suspicious Domain Detection** Consolidates repeated model breach alerts triggered by the same device against the same detection model. * **Query condition:** {% code overflow="wrap" %} ```powerquery "device.hostname":"hostname" AND "model.name":"Device::Suspicious Domain" ``` {% endcode %} * **What this means:** Once a model breach alert is triaged for a specific device and detection model, subsequent alerts from the same device matching the same model are consolidated under the initial alert. For more details on reviewing and managing deduplicated alerts, see [The Duplicate Alerts Panel](https://help.radiantsecurity.ai/radiant-alerts/radiant-alerts#the-duplicate-alerts-panel).