Forum Discussion
Solved
Reached the maximum limit of Analytics Rules of 512 in Sentinel
Hello all, We have 539 toal analytics rules in Sentinel, 478 enabled rules and 61 disabled rules. Today, we noticed that we can't add new scheduled rules in the Analytics section of Sentinel. W...
- You can create a new workspace (without data) and use cross-workspace queries to hit the data in your main one. That way you can generate alerts in the other workspace to get around that limit.
I'm surprised the 512 limitation isn't more prominently documented/mentioned, but I'd hazard that most orgs would struggle to come close to hitting that limit. Many don't have an analytics rule per-Mitre tactic/technique.
I would love the opportunity to check out all of those rules! We have a little bit over half of those and personally, I think most of them create noise more than provided benefits. You could really help me out!