azure-docs icon indicating copy to clipboard operation
azure-docs copied to clipboard
verified publisher icon MicrosoftDocs

Unclear limit on max Incidents per Workspace per day

Open camalloy opened this issue 1 year ago • 2 comments

I'm seeing a warning message about hitting a limit, however, I can't tell what limit I'm hitting based on this documentation.

Here is the warning from Sentinel:

"Notice: your workspace has generated too many incidents in the last day. If it continues at this rate, you might be unable to create or modify incidents in the future. Please turn off or adjust any rule that might be creating too many incidents."

Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

camalloy avatar Apr 25 '24 20:04 camalloy

@camalloy Thanks for your feedback! We will investigate and update as appropriate.

PesalaPavan avatar Apr 26 '24 04:04 PesalaPavan

@camalloy According to the Microsoft Sentinel service limits documentation, there is no specific limit on the maximum number of incidents per workspace per day. However, there are some general limits that apply to incidents, such as the maximum number of incidents that can be displayed concurrently in the Incidents page (100), and the maximum number of incidents that can be exported to a CSV file (10,000). Additionally, there are limits on the number of incidents that can be created or updated by various features, such as analytics rules and playbooks.

Thanks for your contribution. Please add your feedback in below link, so our production team can review it and update the same. Ideas · Community (azure.com)

SaibabaBalapur-MSFT avatar Apr 29 '24 09:04 SaibabaBalapur-MSFT

@SaibabaBalapur-MSFT can you explain the error message then? I understand the docs don't have a limit, however, as indicated by the error message, there is a limit being imposed.

camalloy avatar May 07 '24 20:05 camalloy

@SaibabaBalapur-MSFT can you explain the error message then? I understand the docs don't have a limit, however, as indicated by the error message, there is a limit being imposed.

@SaibabaBalapur-MSFT any updates on this?

camalloy avatar May 13 '24 15:05 camalloy

@camalloy I apologize for the confusion earlier, I am assigning case to document author @yelevin Can you please check and add your comments on this doc update request as applicable.

SaibabaBalapur-MSFT avatar May 13 '24 15:05 SaibabaBalapur-MSFT

@yelevin

Here is a screenshot if that helps: image

We were able to identify the broken rule and made a change. However, we do want to understand what the limits are so we can plan accordingly.

camalloy avatar May 14 '24 16:05 camalloy

#label:"backlog-item-created"

batamig avatar May 22 '24 07:05 batamig

@camalloy Thanks for your patience!

I have investigated and documented this limit, which isn't exactly a hard limit, as you will see at this link: Service limits for Microsoft Sentinel | Incident limits

I will consider this issue closed, but please feel free to comment further if necessary.

#please-close

cc: @SaibabaBalapur-MSFT @PesalaPavan @batamig

yelevin avatar May 29 '24 18:05 yelevin

#please-close

yelevin avatar May 29 '24 18:05 yelevin