Are there details on how the incident merging works? We solved our problem with DLP events creating alerts/incidents... but we sync Sentinel incidents to our ticketing system.
With Defender XDR merging and closing incidents at will, this can cause confusion as we try to keep in sync.
Microsoft Defender XDR uses a correlation engine that automatically groups related alerts into incidents. This engine continuously evaluates new alerts and may:
1. Create a new incident if the alert is unique within a given time window.
2. Merge the alert into an existing incident if it’s deemed related—based on internal correlation logic that considers detection source, time proximity, and threat context.
Are there details on how the incident merging works? We solved our problem with DLP events creating alerts/incidents... but we sync Sentinel incidents to our ticketing system.
With Defender XDR merging and closing incidents at will, this can cause confusion as we try to keep in sync.
Microsoft Defender XDR uses a correlation engine that automatically groups related alerts into incidents. This engine continuously evaluates new alerts and may:
1. Create a new incident if the alert is unique within a given time window.
2. Merge the alert into an existing incident if it’s deemed related—based on internal correlation logic that considers detection source, time proximity, and threat context.