Duplicate incidents created by NRT rule

-jmn-Here's the Kusto

// PIM info
let pimInfo = 
AuditLogs
| where Category =~ "RoleManagement"
| where AADOperationType in ("CreateRequestRoleActivation")//,"ActivateRole")
| where ActivityDisplayName has_any ("Add eligible member to role", "Add member to role")
| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)
| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))
| extend Target = tostring(TargetResources.userPrincipalName)
| extend strTime = tostring(TimeGenerated);
let pimDetails = 
AuditLogs
| where Category =~ "RoleManagement"
| where AADOperationType in ("CreateRequestRoleActivation")//,"ActivateRole")
| where ActivityDisplayName has_any ("Add eligible member to role", "Add member to role")
| mv-expand AdditionalDetails
| extend Key = tostring(AdditionalDetails.key), Value = tostring(AdditionalDetails.value)
| extend p = pack(Key,Value)
| summarize bag = make_bag(p) by TimeGenerated
| evaluate bag_unpack(bag) : (TimeGenerated:datetime, ExpirationTime:datetime, ipaddr:string, Justification:string, oid:string, RoleDefinitionOriginId:string, RoleDefinitionOriginType
:string, StartTime:datetime, TemplateId:string, tid:string, wids:string);
//| extend strTime = tostring();
//union isfuzzy=true roleAssign, pimDetails
let pimAll = 
pimInfo 
| join kind = leftouter pimDetails on TimeGenerated;
pimAll