How can I configure Microsoft Sentinel to create a new incident instead of adding to an existing one?

Question

I'm facing an issue in Microsoft Sentinel where incidents generated by an analytics rule are automatically closing and merging with an existing "multiple-stage" incident. As shown in the attached screenshot, each new incident created by the analytics rule gets closed automatically and merged under a larger incident, instead of remaining as a separate incident.

Here's the problem in more detail:

I’ve set up automation to receive immediate email notifications each time an incident alert is triggered. However, due to this merging behavior, new events are grouped under previous incidents, making it difficult to get timely notifications.

Some incidents end up accumulating over 150 events, making investigation and analysis very cumbersome.

To address this, I’d like to configure Sentinel so that each new alert from the analytics rule creates a separate incident, rather than merging with existing ones. Could anyone provide guidance on the settings or configurations that would ensure each event generates a new incident?

Any help with specific configuration steps or best practices to avoid this automatic merging behavior would be greatly appreciated.

Answer 1

Please try to disable Alert Grouping https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/what-s-new-reduce-alert-noise-with-incident-settings-and-alert/ba-p/1187940