Merge pull request #292442 from yelevin/patch-6

prmerger-automator[bot] · web-flow · commit 9d3353504306 · 2024-12-31T14:01:44.000Z
Added disclaimers about incident creation and alert grouping …
diff --git a/articles/sentinel/create-analytics-rules.md b/articles/sentinel/create-analytics-rules.md
@@ -174,8 +174,12 @@ In the **Incident settings** tab, choose whether Microsoft Sentinel turns alerts
 
      > [!IMPORTANT]
      > If you onboarded Microsoft Sentinel to the Microsoft Defender portal, leave this setting **Enabled**.
+     >
+     > - In this scenario, incidents are created by Microsoft Defender XDR, not by Microsoft Sentinel.
+     > - These incidents appear in the incidents queue in both the Azure and Defender portals.
+     > - In the Azure portal, new incidents are displayed with "Microsoft Defender XDR" as the **incident provider name**.
 
-   - If you want a single incident to be created from a group of alerts, instead of one for every single alert, see the next section.
+   - If you want a single incident to be created from a group of alerts, instead of one for every single alert, see the next step.
 
 1. <a name="alert-grouping"></a>**Set alert grouping settings.**
 
@@ -193,12 +197,22 @@ In the **Incident settings** tab, choose whether Microsoft Sentinel turns alerts
 
    1. **Re-open closed matching incidents**: If an incident has been resolved and closed, and later on another alert is generated that should belong to that incident, set this setting to **Enabled** if you want the closed incident re-opened, and leave as **Disabled** if you want the alert to create a new incident.
 
+      This option is not available when Microsoft Sentinel is onboarded to the Microsoft Defender portal.
+
+   > [!IMPORTANT]
+   > If you onboarded Microsoft Sentinel to the Microsoft Defender portal, the **alert grouping** settings take effect only at the moment that the incident is created.
+   > 
+   > Because the Defender portal's correlation engine is responsible for alert correlation in this scenario, it accepts these settings as initial instructions, but it also might make decisions about alert correlation that don't take these settings into account.
+   >
+   > Therefore, the way alerts are grouped into incidents might often be different than you would expect based on these settings.
+
    > [!NOTE]
    >
    > **Up to 150 alerts** can be grouped into a single incident.
    > - The incident will only be created after all the alerts have been generated. All of the alerts will be added to the incident immediately upon its creation.
    >
    > - If more than 150 alerts are generated by a rule that groups them into a single incident, a new incident will be generated with the same incident details as the original, and the excess alerts will be grouped into the new incident.
+
 1. Select **Next: Automated response**.
 
     # [Azure portal](#tab/azure-portal)
