ninja training
5 TopicsReached the maximum limit of Analytics Rules of 512 in Sentinel
Hello all, We have 539 toal analytics rules in Sentinel, 478 enabled rules and 61 disabled rules. Today, we noticed that we can't add new scheduled rules in the Analytics section of Sentinel. When we checked the Sentinel workspace's Activity logs, we saw this error message: "The maximum number of Scheduled analytics rules (512) has already been reached for workspace xxxxxx". It looks that Microsoft Sentinel has indeed a Service Limit on the number of Analytics rules of 512 you can have in a workspace, as per this article https://docs.microsoft.com/en-us/azure/sentinel/sentinel-service-limits We need to add more rules to ensure that our Sentinel is benchmarked against Mitre Att&ck framework. According to https://attack.mitre.org/techniques/enterprise/, there are 191 techniques and 385 sub-techniques in the latest Att&ck framework – that’s a total of 576, how are we supposed to have have good analytics insights coverage with the limit of 512? That’s without even considering new ransomware rules, threat intel rules, and general zero-day rules e.g. Log4J etc. We have a single workspace where all data connectors (from other Microsoft solutions, Defender products etc as well as other on-premise Syslog servers). If we consider splitting our rules between two or three workspaces to cover all the Mitre Att&ck techniques and sub-techniques (and other custom rules for our own environment), then we need to duplicate the data across those additional workspaces but we split the rules across multiple workspaces and work with incidents across all workspaces (per this article https://docs.microsoft.com/en-us/azure/sentinel/multiple-workspace-view) - but this means we have to pay for duplication of workspaces storage. This can't be a realistic solution that Microsoft expects us to do! Has anyone faced this challenge and hit this maximum analytics rule limit of 512? Any advice how we might overcome it? Where do we go from here? I am surprised that this topics has not been discussed widely by companies who have mature SOCs based on Sentinel who have considered full benchmarking their Sentinel rules against Mitre Att&ck framework. Any help will be highly appreciated and thanks in advance for any comments.Solved6.8KViews2likes3Comments
