Forum Discussion
Solved
Duplicate incidents created by NRT rule
I'm hoping this is the right place to post this (if not please let me know / delete) I have an NRT rule that started creating multiple incidents for a single Azure AD PIM event. The rule has bee...
Disabling and enabling the rule worked for me.
Same issue over here, over 50 duplicated incidents from built-in rule NRT New access credential added to Application or Service Principal
https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/NRT_NewAppOrServicePrincipalCredential.yaml
Disabling and re-enabling the NRT rule seems to resolve the loop as its occurring.
We are now experiening this issue with an NRT rule that was behaving normally, but now is creating multiple incidents for the same alert. Running the Analytics rule manually works as expected. This seems to have started the first week of January.