2 Comments
User's avatar
Jeremy's avatar

Are there details on how the incident merging works? We solved our problem with DLP events creating alerts/incidents... but we sync Sentinel incidents to our ticketing system.

With Defender XDR merging and closing incidents at will, this can cause confusion as we try to keep in sync.

Expand full comment
José Lázaro's avatar

Microsoft Defender XDR uses a correlation engine that automatically groups related alerts into incidents. This engine continuously evaluates new alerts and may:

1. Create a new incident if the alert is unique within a given time window.

2. Merge the alert into an existing incident if it’s deemed related—based on internal correlation logic that considers detection source, time proximity, and threat context.

Expand full comment