How many analytics rules can be actively running in Sentinel. What are the service limits & capping on the maximum number of analytics rules that can run in Sentinel

Meghal Vasa (external) 1 Reputation point
2021-11-12T01:12:27.497+00:00

I tried searching in microsoft documentation but its not officially documented & in the forums as well its not answered https://social.msdn.microsoft.com/Forums/en-US/2b69e1a4-e761-4efc-9de7-648e0ae387c8/how-many-rules-can-your-run-consecutively-to-work?forum=ppsplanning

Could someone please tell me how many maximum analytics rules could be created / enabled to run in azure sentinel. Are there any service limits or capping on the number of analytics rules defined by Azure?

Please do not reply with suggestion to put this question to microsoft support.

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,215 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. George Moise 2,361 Reputation points Microsoft Employee
    2021-11-12T07:39:55.273+00:00

    Hello Meghal,

    The maximum number of Scheduled Analytics Rules in Azure Sentinel is 512.

    I am unable to search for this in the official documentation, but I know for sure that 512 is the number at this moment (not sure if it will be increased or not in the future).
    You can decrease the number of analytics rules you create, by making use of dynamic content of the Alert Details (meaning that the same analytic rule could generate multiple types of alerts - ex. critical or medium severity, based on the properties returned by the Query, allowing you to have just 1 rule for multiple severities, rather than multiple copies of the same rule with different severity configuration for example).

    BR,
    George

    1 person found this answer helpful.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.