Share via

stop MS Defender from adding certain alerts to a multi-stage incident

Oswald, Michael 0 Reputation points
2025-10-15T09:36:12.7033333+00:00

We use Splunk SOAR to run enrichments on MS Defender alerts. There are 2 specific alerts that MS Defender is grouping together into a multi-stage incident. The problem is that we want to investigate each alert separately, and have alert-specific automation run on each. When they are grouped together into a single incident, we're not able to do this.

Is there a way to whitelist specific alerts so that they are not included in multi-stage incidents?

Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Monalisha Jena 3,680 Reputation points Microsoft External Staff Moderator
    2025-10-16T06:18:25.7+00:00

    Hello Oswald, Michael,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well. 

    So, Microsoft Defender (especially Defender for Endpoint and Defender XDR) uses built-in alert correlation, called "Fusion," to combine related alerts into multi-stage incidents for better attack visibility. However, this auto-merging can interfere with custom SOAR workflows that rely on individual alert granularity. Currently, Defender does not provide an out-of-the-box whitelist or exclusion feature to prevent specific alert types from being added to multi-stage incidents. The correlation logic is automatic and managed by Defender’s backend.

    I need to check with you regarding some points as:
    Which specific alert types do you want excluded from multi-stage incidents? Are these alerts custom or built-in? Are you using Microsoft Sentinel or only Defender alerts ingested into Splunk SOAR?

    I will try to recommend you some workarounds like:

    No built-in whitelist: Unfortunately, currently you cannot whitelist or exclude certain alerts from Fusion multi-stage incidents within Microsoft Defender.

    Alternatives:

    • Configure alert suppression or tuning rules to reduce noise or prevent some alerts from ever triggering incidents.
    • Build automation in your SOAR that splits or manages multi-stage incidents by extracting individual alerts for separate processing.
    • Use custom Sentinel analytic rules with refined correlation or disabling correlation where possible.

    reference for more understanding:

    Manage alert correlation and incident merging: https://learn.microsoft.com/en-us/defender-xdr/alerts-incidents-correlation

    Tune alerts and create suppression rules: https://learn.microsoft.com/en-us/defender-endpoint/manage-alerts

    Manage incidents in Microsoft Defender: https://learn.microsoft.com/en-us/defender-xdr/manage-incidents

    Configure Fusion rules in Azure Sentinel (for reference if using Sentinel): https://docs.azure.cn/en-us/sentinel/configure-fusion-rules
    However, you can post your feedback in our Azure feedback portal regarding the feature.

    https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789

    This channel is directly monitored by our PM's. They will look into this request and revert back to you directly with an update on this feature immediately.

    Hope this helps!

    Regards,

    Monalisha

  2. Andrew Iredale 0 Reputation points
    2025-10-21T04:39:26.61+00:00

    What's a good support number to alert a stolen phone under a highly recognized domain under Microsofts authority.

    0 comments
  3. Monalisha Jena 3,680 Reputation points Microsoft External Staff Moderator
    2025-10-23T07:10:34.39+00:00

    Hello Oswald, Michael,

    You’re right to notice that the automation rule feature I mentioned is part of the Microsoft 365 Defender portal, and it does not require Sentinel, it’s available natively in Defender XDR for customers with the appropriate licenses (e.g., Defender for Endpoint, Defender for Office 365, etc.). These rules let you take actions like assigning incidents, tagging, or changing severity when an incident is created.

    However, there are two important points:

    • Automation rules work at the incident level, not the alert level. So if your alerts are being merged into a single multi-stage incident, the rule will apply to that incident as a whole, not to individual alerts.
    • If you only have Splunk SOAR and are not actively using the Defender portal for incident management, you’ll need to rely on your SOAR playbooks or the Defender XDR API to assign ownership programmatically.

    Where to find automation rules in Defender:

    If you don’t see the option, it could be due to:

    • Role permissions (need Security Administrator or similar).
    • License limitations (must have Microsoft 365 Defender or relevant Defender plans).

    Alternative if automation rules aren’t available:

    Hope this helps! Please consider clicking Accept Answer and Upvote. This will help us and others in the community as well. If you need more info, feel free to ask in the comments. Happy to help!

    Regards,

    Monalisha

    0 comments
  4. Andrew Blumhardt 10,066 Reputation points Microsoft Employee
    2025-10-23T12:30:04.11+00:00

    Alert correlation relies on entity mapping for correlation. An alert without entities cannot be mapped. If the alert is coming from a Sentinel analytics rule, then break the entity mapping on one of the alerts. If the alert is from another source like MDE then I am not aware of an automated solution. You might experiment with an alert-based trigger or revising the automation to process the alerts. Basically, revise your automation to account for the correlation.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.