How to stop incidents merging under new incident (MultiStage) in defender.

The Sentinel “alert grouping” setting ( grouping similar alerts ) does not prevent incidents from being merged into a single “Multistage” incident in Defender. This setting only affects grouping inside Sentinel, while Defender uses its own independent incident correlation engine.

To keep incidents separate in Defender, the only effective configuration is:

- Change the Sentinel → Defender sync mode to “Incidents only”

Settings → Microsoft Sentinel → Incident settings → Sync: Incidents only

This forces Defender to create one incident per Sentinel incident and prevents automatic merging into Multistage incidents.

If strict separation is still required, or if behavior continues despite this change:

✔ Open a Microsoft Support case

Ask for assistance or advanced configuration options related to disabling or reducing Defender incident correlation. Some customers have received tailored guidance through support.

Sentinel alert grouping alone won’t solve the issue.