Forum Discussion

smavrakis's avatar
smavrakis
Brass Contributor
Nov 25, 2025
Solved

How to stop incidents merging under new incident (MultiStage) in defender.

Dear All We are experiencing a challenge with the integration between Microsoft Sentinel and the Defender portal where multiple custom rule alerts and analytic rule incidents are being automatically...
alerts
automation
incident management
microsoft sentinel
onboarding
siem
  • smavrakis's avatar
    smavrakis
    Dec 15, 2025

    For any1 Interested Microsoft Announced, a way to stop this from happening

    Basically the rule author needs to add #DONT_CORR# tag in the rule description.

smavrakis's avatar
smavrakis
Brass Contributor
Dec 15, 2025

For any1 Interested Microsoft Announced, a way to stop this from happening

Basically the rule author needs to add #DONT_CORR# tag in the rule description.

JeremyTBradshaw's avatar
JeremyTBradshaw
Steel Contributor
Apr 29, 2026

Hey, thanks for this.  But can you please elaborate on where / how Microsoft announced that as a solution to this problem?  I am facing the problem (insane bogus correlations between Sentinel Analytics Rule alerts and various Defender for XYZ / Defender XDR alerts, into giant unmanageable incidents with 1000s of different evidence, assets, etc., 100s of unrelated alerts.

In our case, we have a lot of shared NAT IPs for our in-office users (which I assume is extremely common for any sizeable companies).  So we see a lot of erroneous correlations due to "Similar IP" - noting the correlation reasons aren't very specific and do not reveal exactly which alerts are being correlated together, it's just "the current alert is being correlated to incident # because of 'similar <IP|URL|etc>'".

Microsoft Support tells us it's by design and you can't tame the correlations, would need do carefully planned Analytics Rules to avoid.  Apparently it's a known issue for customers using NAT!  When I asked about turning off incident correlation on some (possibly all) of the Analytics Rules, they responded with "that could help some".

I found this page: 

https://learn.microsoft.com/en-us/defender-xdr/exclude-analytics-rules-correlation

where it states:

Overview

Microsoft Defender XDR groups multiple alerts and incidents into unified attack stories. While this capability provides powerful security insights, it can lead to unexpected behavior for organizations migrating from Microsoft Sentinel, where incidents are static and determined solely by analytics rule configurations.

By default, all analytics rules are excluded at the tenant level when you first onboard to Microsoft Defender. Depending on your organization's needs, you can change this setting to enable correlation for all analytics rules and exclude specific rules only, or exclude all analytics rules and add specific ones for correlation.

By excluding analytics rules from correlation, you can ensure that alerts generated by those rules bypass the correlation engine and group into incidents exactly as they did in Microsoft Sentinel—based only on the grouping configuration of the analytics rule.

Would that page be the announcement you were referring to?  Just trying to make sure I understand this correctly as I don't want to advise turning off incident correlation on the analytics rules without being certain.  The idea behind letting them correlate is that the correlation engine would be able to do a good job and then the incidents would have more related alerts/evidence.  But it seems that hope is too big for XDR/Sentinel.  The correlation engine has no smarts.