Forum Discussion

smavrakis's avatar
smavrakis
Copper Contributor
Nov 25, 2025
Solved

How to stop incidents merging under new incident (MultiStage) in defender.

Dear All We are experiencing a challenge with the integration between Microsoft Sentinel and the Defender portal where multiple custom rule alerts and analytic rule incidents are being automatically...
alerts
automation
incident management
microsoft sentinel
onboarding
siem
  • smavrakis's avatar
    smavrakis
    Dec 15, 2025

    For any1 Interested Microsoft Announced, a way to stop this from happening

    Basically the rule author needs to add #DONT_CORR# tag in the rule description.

Jalixio's avatar
Jalixio
Copper Contributor
Dec 02, 2025

How to minimize undesired merging

While you cannot disable merging globally, the following strategies help maintain granular incidents:

  1. Use a separate Sentinel workspace for sensitive use cases
    Only the primary Sentinel workspace is fully correlated by Defender XDR. Sensitive or custom analytic rules can be placed in a secondary workspace to prevent automatic merging.
    See: https://learn.microsoft.com/en-us/azure/sentinel/microsoft-365-defender-sentinel-integration?tabs=defender-portal
  2. Manually move alerts if needed
    If incidents have already been merged, you can move alerts to a new incident in the Defender portal.
    See: https://learn.microsoft.com/en-us/defender-xdr/move-alert-to-another-incident

Hope this helps!

Resources