Every so often, Microsoft slips a feature into preview that looks small on paper but solves a very loud problem for SOCs in the middle of a migration. The new “Exclude analytics rules from correlation” capability in Microsoft Defender XDR is exactly that kind of gift. [Exclude an...soft Learn | Learn.Microsoft.com]
If you’ve ever worked through a Sentinel‑to‑Defender transition, you already know the pain point. Sentinel’s incident model is beautifully straightforward: one analytics rule, one grouping configuration, one predictable incident. Defender XDR, on the other hand, takes all your alerts, stirs in correlation logic, attacker activity sequences, multi‑product signals and sometimes hands you back incidents shaped slightly differently than what your automation playbooks expect.
That change can cause more than a few problems with runbooks, SOAR logic, backlog projections… basically anything that relies on consistent incident formation.
Microsoft Defender XDR’s correlation engine is powerful. It’s also opinionated. It tells a cohesive “attack story” by merging alerts and incidents across products and analytics engines. That’s fantastic when you want clarity during an active attack. But for teams migrating from Sentinel, it can be disruptive.
This new preview lets you selectively exclude specific analytics rules from the correlation engine so that:
Alerts from those rules bypass correlation entirely
They form incidents in Defender the same way they did in Sentinel
Your existing automations continue to behave predictably
Your runbooks stop throwing surprise exceptions
Your analysts stop asking why incidents look “wrong”
How do I actually disable correlation
There are two ways to disable correlation in the Defender portal.
Browse to Investigation & response → Hunting → Custom detection rules.
Select the check box next to the rule that you want to disable correlation.
Then at the top select Disable correlation.
Another method is to exclude a rule from correlation by adding a #DONT_CORR# tag.
Browse to Investigation & response → Hunting → Custom detection rules.
Open the analytics rule in edit mode.
In the rule’s Description field, add
#DONT_CORR#at the very beginning of the text.Save the rule.
Thank you for raising awareness to this feature Andrea!!