You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-xdr/alerts-incidents-correlation.md
+23-14Lines changed: 23 additions & 14 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -18,15 +18,15 @@ ms.topic: conceptual
18
18
search.appverid:
19
19
- MOE150
20
20
- MET150
21
-
ms.date: 10/25/2024
21
+
ms.date: 02/02/2025
22
22
appliesto:
23
23
- Microsoft Defender XDR
24
24
- Microsoft Sentinel in the Microsoft Defender portal
25
25
---
26
26
27
27
# Alert correlation and incident merging in the Microsoft Defender portal
28
28
29
-
This article explains how the Microsoft Defender portal aggregates and correlates the alerts that it collects from all the sources that produce them and send them to the portal. It explains how Defender creates incidents from these alerts, and how it continues to monitor their evolution, merging incidents together if the situation warrants. To learn more about alerts and their sources, and how incidents add value in the Microsoft Defender portal, see [Incidents and alerts in the Microsoft Defender portal](incidents-overview.md).
29
+
This article explains how the correlation engine in the Microsoft Defender portal aggregates and correlates the alerts collected from all the sources that produce them and send them to the portal. It explains how Defender creates incidents from these alerts, and how it continues to monitor their evolution, merging incidents together if the situation warrants. To learn more about alerts and their sources, and how incidents add value in the Microsoft Defender portal, see [Incidents and alerts in the Microsoft Defender portal](incidents-overview.md).
30
30
31
31
## Incident creation and alert correlation
32
32
@@ -56,36 +56,45 @@ Defender's correlation engine merges incidents when it recognizes common element
56
56
- Time frames
57
57
- Sequences of events that point to multistage attacks—for example, a malicious email click event that follows closely on a phishing email detection.
58
58
59
-
### Outcomes of the merge process
59
+
### Details of the merge process
60
60
61
-
When two or more incidents are merged, a new incident is not created to absorb them. Instead, the contents of one incident are migrated into the other incident, and the incident abandoned in the process is automatically closed. The abandoned incident is no longer visible or available in the Defender portal, and any reference to it is redirected to the consolidated incident. The abandoned, closed incident remains accessible in Microsoft Sentinel in the Azure portal. The contents of the incidents are handled in the following ways:
61
+
When two or more incidents are merged, a new incident is *not* created to absorb them. Instead, the contents of one incident (the **"source incident"**) are migrated into the other incident (the **"target incident"**), and the source incident is automatically closed. The source incident is no longer visible or available in the Defender portal, and any reference to it is redirected to the target incident. The source incident, though closed, remains accessible in Microsoft Sentinel in the Azure portal.
62
62
63
-
- Alerts contained in the abandoned incident are removed from it and added to the consolidated incident.
64
-
- Any tags applied to the abandoned incident are removed from it and added to the consolidated incident.
65
-
- A **`Redirected`** tag is added to the abandoned incident.
63
+
#### Merge direction
64
+
65
+
The direction of the incident merge refers to which incident is the source and which is the target. This direction is determined by Microsoft Defender, based on its own internal logic, with the goal of maximizing information retention and access. The user doesn't have any input into this decision.
66
+
67
+
#### Incident contents
68
+
69
+
The contents of the incidents are handled in the following ways:
70
+
71
+
- All alerts contained in the source incident are removed from the source incident and added to the target incident.
72
+
- Any tags applied to the source incident are removed from the source incident and added to the target incident.
73
+
- A **`Redirected`** tag is added to the source incident.
66
74
- Entities (assets etc.) follow the alerts they're linked to.
67
-
- Analytics rules recorded as involved in the creation of the abandoned incident are added to the rules recorded in the consolidated incident.
68
-
- Currently, comments and activity log entries in the abandoned incident are *not* moved to the consolidated incident.
75
+
- Analytics rules recorded as involved in the creation of the source incident are added to the rules recorded in the target incident.
76
+
- Currently, comments and activity log entries in the source incident are *not* moved to the target incident.
69
77
70
-
To see the abandoned incident's comments and activity history, open the incident in Microsoft Sentinel in the Azure portal. The activity history includes the closing of the incident and the adding and removal of alerts, tags, and other items related to the incident merge. These activities are attributed to the identity *Microsoft Defender XDR - alert correlation*.
78
+
To see the source incident's comments and activity history, open the incident in Microsoft Sentinel in the Azure portal. The activity history includes the closing of the incident and the adding and removal of alerts, tags, and other items related to the incident merge. These activities are attributed to the identity *Microsoft Defender XDR - alert correlation*.
71
79
72
80
### When incidents aren't merged
73
81
74
82
Even when the correlation logic indicates that two incidents should be merged, Defender doesn't merge the incidents under the following circumstances:
75
83
76
84
- One of the incidents has a status of "Closed". Incidents that are resolved don't get reopened.
77
-
- The two incidents eligible for merging are assigned to two different people.
78
-
- Merging the two incidents would raise the number of entities in the merged incident above the allowed maximum of 50 entities per incident.
85
+
- The source and target incidents are assigned to two different people.
86
+
- The source and target incidents have two different classifications (for example, true positive and false positive).
87
+
- Merging the two incidents would raise the number of entities in the target incident above the allowed maximum.
79
88
- The two incidents contain devices in different [device groups](/defender-endpoint/machine-groups) as defined by the organization. <br>(This condition is not in effect by default; it must be enabled.)
-[The power of incidents in Microsoft Defender XDR](https://techcommunity.microsoft.com/t5/microsoft-defender-xdr-blog/the-power-of-incidents-in-microsoft-365-defender/ba-p/3515483)
0 commit comments