Forum Discussion

Asaad_Moosa's avatar
Asaad_Moosa
Copper Contributor
Jul 07, 2022
Solved

Reached the maximum limit of Analytics Rules of 512 in Sentinel

Hello all,   We have 539 toal analytics rules in Sentinel, 478 enabled rules and 61 disabled rules.  Today, we noticed that we can't add new scheduled rules in the Analytics section of Sentinel. W...
analytics
azure
ninja training
  • ReganDangerCarey's avatar
    ReganDangerCarey
    Jul 11, 2022
    You can create a new workspace (without data) and use cross-workspace queries to hit the data in your main one. That way you can generate alerts in the other workspace to get around that limit.

    I'm surprised the 512 limitation isn't more prominently documented/mentioned, but I'd hazard that most orgs would struggle to come close to hitting that limit. Many don't have an analytics rule per-Mitre tactic/technique.
ReganDangerCarey's avatar
ReganDangerCarey
Brass Contributor
Jul 11, 2022
You can create a new workspace (without data) and use cross-workspace queries to hit the data in your main one. That way you can generate alerts in the other workspace to get around that limit.

I'm surprised the 512 limitation isn't more prominently documented/mentioned, but I'd hazard that most orgs would struggle to come close to hitting that limit. Many don't have an analytics rule per-Mitre tactic/technique.
  • Asaad_Moosa's avatar
    Asaad_Moosa
    Copper Contributor
    Jul 14, 2022

    ReganDangerCarey 

     

    Thanks ReganDangerCarey, we went ahead with creating a new workspace and enabled Sentinel on it, then we started creating new analytics rules but by using the "workspace" expression to execute the KQL queries on the first workspace.

    workspace("First_Workspace").TableName

    The second workspace is an empty workspace - meaning no data connectors are used since all rules queries will be executed on the first workspace where the logs data is collected centrally.

     

    One obvervation from using this approach, when writing the KQL in the second workspace, it doesn't activate the autocomplete of column names as you type it - which meant we have to switch back to the first workspace, complete the KQL query there (with the help of auto-complete column names) then save the final query as an analytic rule in the second workspace. 

     

    I think with time when more companies realise the importance of creating and developing more analytics rules (like our case to benchmark our SOC with Mitre Att&ck framework, or to catch any opportunistic zero-day IoCs as IT are busy rolling out a critical patch) and hit the max barrier of 512 limit in Sentinel, they will realise the pain of having to spin up a second and then third etc workspaces to evolve their Sentinel SOC maturity and make room for more analytics rules. But once it is set up, it works like a charm!

Resources