How can I configure Microsoft Sentinel to create a new incident instead of adding to an existing one?

mara7 166 Reputation points
2024-10-29T05:26:13.2566667+00:00

User's image

I'm facing an issue in Microsoft Sentinel where incidents generated by an analytics rule are automatically closing and merging with an existing "multiple-stage" incident. As shown in the attached screenshot, each new incident created by the analytics rule gets closed automatically and merged under a larger incident, instead of remaining as a separate incident.

Here's the problem in more detail:

I’ve set up automation to receive immediate email notifications each time an incident alert is triggered. However, due to this merging behavior, new events are grouped under previous incidents, making it difficult to get timely notifications.

Some incidents end up accumulating over 150 events, making investigation and analysis very cumbersome.

To address this, I’d like to configure Sentinel so that each new alert from the analytics rule creates a separate incident, rather than merging with existing ones. Could anyone provide guidance on the settings or configurations that would ensure each event generates a new incident?

Any help with specific configuration steps or best practices to avoid this automatic merging behavior would be greatly appreciated.

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,164 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Clive Watson 6,601 Reputation points MVP
    2024-10-31T10:12:02.7533333+00:00

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.