Forum Discussion
How to stop incidents merging under new incident (MultiStage) in defender.
Dear All
We are experiencing a challenge with the integration between Microsoft Sentinel and the Defender portal where multiple custom rule alerts and analytic rule incidents are being automatically merged into a single incident named "Multistage." This automatic incident merging affects the granularity and context of our investigations, especially for important custom use cases such as specific admin activities and differentiated analytic logic.
Key concerns include:
- Custom rule alerts from Sentinel merging undesirably into a single "Multistage" incident in Defender, causing loss of incident-specific investigation value.
- Analytic rules arising from different data sources and detection logic are merged, although they represent distinct security events needing separate attention.
- Customers require and depend on distinct, non-merged incidents for custom use cases, and the current incident correlation and merging behavior undermines this requirement.
We understand that Defender’s incident correlation engine merges incidents based on overlapping entities, timelines, and behaviors but would like guidance or configuration best practices to disable or minimize this automatic merging behavior for our custom and analytic rule incidents. Our goal is to maintain independent incidents corresponding exactly to our custom alerts so that hunting, triage, and response workflows remain precise and actionable.
Any recommendations or advanced configuration options to achieve this separation would be greatly appreciated.
Thank you for your assistance.
Best regards
For any1 Interested Microsoft Announced, a way to stop this from happening
Basically the rule author needs to add #DONT_CORR# tag in the rule description.
6 Replies
For any1 Interested Microsoft Announced, a way to stop this from happening
Basically the rule author needs to add #DONT_CORR# tag in the rule description.
The Sentinel “alert grouping” setting ( grouping similar alerts ) does not prevent incidents from being merged into a single “Multistage” incident in Defender. This setting only affects grouping inside Sentinel, while Defender uses its own independent incident correlation engine.
To keep incidents separate in Defender, the only effective configuration is:
- Change the Sentinel → Defender sync mode to “Incidents only”
Settings → Microsoft Sentinel → Incident settings → Sync: Incidents only
This forces Defender to create one incident per Sentinel incident and prevents automatic merging into Multistage incidents.
If strict separation is still required, or if behavior continues despite this change:
✔ Open a Microsoft Support case
Ask for assistance or advanced configuration options related to disabling or reducing Defender incident correlation. Some customers have received tailored guidance through support.
Sentinel alert grouping alone won’t solve the issue.
How to minimize undesired merging
While you cannot disable merging globally, the following strategies help maintain granular incidents:
- Use a separate Sentinel workspace for sensitive use cases
Only the primary Sentinel workspace is fully correlated by Defender XDR. Sensitive or custom analytic rules can be placed in a secondary workspace to prevent automatic merging.
See: https://learn.microsoft.com/en-us/azure/sentinel/microsoft-365-defender-sentinel-integration?tabs=defender-portal - Manually move alerts if needed
If incidents have already been merged, you can move alerts to a new incident in the Defender portal.
See: https://learn.microsoft.com/en-us/defender-xdr/move-alert-to-another-incident
Hope this helps!
- Use a separate Sentinel workspace for sensitive use cases
Just go the the Alerts list instead of the Incidents list
The question is specifically about controlling or disabling the automatic incident correlation/merging behavior in Defender XDR for Sentinel‑generated alerts so that distinct custom detections remain as separate incidents so “just use the Alerts list” does not address the problem or the requirements described.
Ah I see what you mean now. I think you would have to do that outside of Defender, I've never seen or heard of a mechanism to do that inside Defender.
