You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
| Number of anomalies published per anomaly type | Top 3000 ranked by anomaly score | None |
75
+
| Number of alerts and/or anomalies in a single Fusion incident | 100 alerts and/or anomalies | None |
77
76
78
77
## Multi workspace limits
79
78
80
79
The following limit applies to multiple workspaces in Microsoft Sentinel. Limits here are applied when working with Sentinel features across more than workspace at a time.
| Analytics rules | 20 Sentinel workspaces per query ||
@@ -89,66 +88,67 @@ The following limit applies to multiple workspaces in Microsoft Sentinel. Limits
89
88
90
89
The following limits apply to notebooks in Microsoft Sentinel. The limits are related to the dependencies on other services used by notebooks.
91
90
92
-
|Description|Limit |Dependency|
93
-
|-------|-------|-------|
94
-
| Total count of these assets per machine learning workspace: datasets, runs, models, and artifacts |10 million assets |Azure Machine Learning|
95
-
| Default limit for total compute clusters per region. Limit is shared between a training cluster and a compute instance. A compute instance is considered a single-node cluster for quota purposes. | 200 compute clusters per region|Azure Machine Learning|
96
-
|Storage accounts per region per subscription|250 storage accounts|Azure Storage|
97
-
|Maximum size of a file share by default|5 TB|Azure Storage|
98
-
|Maximum size of a file share with large file share feature enabled|100 TB|Azure Storage|
99
-
|Maximum throughput (ingress + egress) for a single file share by default|60 MB/sec|Azure Storage|
100
-
|Maximum throughput (ingress + egress) for a single file share with large file share feature enabled|300 MB/sec|Azure Storage|
91
+
|Description|Limit |Dependency|
92
+
|-----------|----- |---------- |
93
+
| Total count of these assets per machine learning workspace: datasets, runs, models, and artifacts |10 million assets |Azure Machine Learning|
94
+
| Default limit for total compute clusters per region. Limit is shared between a training cluster and a compute instance. A compute instance is considered a single-node cluster for quota purposes. | 200 compute clusters per region|Azure Machine Learning|
95
+
|Storage accounts per region per subscription|250 storage accounts|Azure Storage|
96
+
|Maximum size of a file share by default|5 TB|Azure Storage|
97
+
|Maximum size of a file share with large file share feature enabled|100 TB|Azure Storage|
98
+
|Maximum throughput (ingress + egress) for a single file share by default|60 MB/sec|Azure Storage|
99
+
|Maximum throughput (ingress + egress) for a single file share with large file share feature enabled|300 MB/sec|Azure Storage|
101
100
102
101
## Repositories limits
103
102
104
103
The following limits apply to repositories in Microsoft Sentinel.
105
104
106
-
|Description |Limit |Dependency|
107
-
|---------|---------|---------|
108
-
|Number of repositories | 5 | Sentinel Workspace|
109
-
|Deployment history | 800 | Azure Resource Group |
105
+
|Description |Limit |Dependency|
106
+
|----------- |-----|---------- |
107
+
|Number of repositories | 5 | Sentinel Workspace|
108
+
|Deployment history | 800 | Azure Resource Group |
110
109
111
110
## Threat intelligence limits
112
111
113
112
The following limit applies to threat intelligence in Microsoft Sentinel. The limit is related to the dependency on an API used by threat intelligence.
## User and Entity Behavior Analytics (UEBA) limits
131
130
132
131
The following limit applies to UEBA in Microsoft Sentinel. The limit for UEBA in Microsoft Sentinel is related to dependencies on another service.
133
132
134
-
|Description |Limit |Dependency|
135
-
|---------|---------|---------|
136
-
|Lowest retention configuration in days for the [IdentityInfo](/azure/azure-monitor/reference/tables/identityinfo) table. All data stored on the IdentityInfo table in Log Analytics is refreshed every 14 days. | 14 days |Log Analytics|
133
+
| Description | Limit | Dependency |
134
+
| ----------- | ----- | ---------- |
135
+
| Lowest retention configuration in days for the [IdentityInfo](/azure/azure-monitor/reference/tables/identityinfo) table. All data stored on the IdentityInfo table in Log Analytics is refreshed every 14 days. | 14 days | Log Analytics |
136
+
| Groups listed in the *GroupMembership* field in the [IdentityInfo](ueba-reference.md#identityinfo-table) table (including subgroups) | 500 ||
137
137
138
138
## Watchlist limits
139
139
140
140
The following limits apply to watchlists in Microsoft Sentinel. The limits are related to the dependencies on other services used by watchlists.
|Upload size limit for local file</br>files over this limit are considered `large`| 3.8 MB per file |Azure Resource Manager
145
-
|Line entry in the CSV file |10,240 characters per line|Azure Resource Manager|
146
-
|Total size of a single row | 10 Kb | Log Analytics|
147
-
|Upload size for large watchlist files in Azure Storage |500 MB per file|Azure Storage|
148
-
|Total number of active watchlist items per workspace</br>When the max count is reached, delete some existing items to add a new watchlist.|10 million active watchlist items|Log Analytics|
149
-
|Total rate of change of all watchlist items per workspace</br>(create, update, and delete operations) | 100,000 changes per month</br>(1% of max active watchlist items)|Log Analytics|
150
-
|Number of `large` watchlist uploads per workspace at a time</br>See upload size limit for what makes a watchlist `large`|One `large` watchlist | Azure Cosmos DB|
151
-
|Number of large watchlist deletions per workspace at a time</br>See upload size limit for what makes a watchlist `large`| One `large` watchlist |Azure Cosmos DB|
142
+
|Description | Limit |Dependency|
143
+
| -----------|-----|----------|
144
+
|Upload size limit for local file</br>files over this limit are considered `large`| 3.8 MB per file |Azure Resource Manager|
145
+
|Line entry in the CSV file |10,240 characters per line|Azure Resource Manager|
146
+
|Total size of a single row | 10 Kb | Log Analytics|
147
+
|Upload size for large watchlist files in Azure Storage |500 MB per file|Azure Storage|
148
+
|Total number of active watchlist items per workspace</br>When the max count is reached, delete some existing items to add a new watchlist.|10 million active watchlist items|Log Analytics|
149
+
|Total rate of change of all watchlist items per workspace</br>(create, update, and delete operations) | 100,000 changes per month</br>(1% of max active watchlist items)|Log Analytics|
150
+
|Number of `large` watchlist uploads per workspace at a time</br>See upload size limit for what makes a watchlist `large`|One `large` watchlist | Azure Cosmos DB|
151
+
|Number of large watchlist deletions per workspace at a time</br>See upload size limit for what makes a watchlist `large`| One `large` watchlist | Azure Cosmos DB|
152
152
153
153
## Workbook limits
154
154
@@ -158,9 +158,9 @@ Workbook limits for Sentinel are the same result limits found in Azure Monitor.
158
158
159
159
The following limits apply to workspace manager in Microsoft Sentinel.
Copy file name to clipboardExpand all lines: articles/sentinel/ueba-reference.md
+24-7Lines changed: 24 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -209,21 +209,38 @@ The following tables describe the enrichments featured in the **ActivityInsights
209
209
210
210
### IdentityInfo table
211
211
212
-
After you [enable UEBA](enable-entity-behavior-analytics.md) for your Microsoft Sentinel workspace, data from your Microsoft Entra ID is synchronized to the **IdentityInfo** table in Log Analytics for use in Microsoft Sentinel. You can embed user data synchronized from your Microsoft Entra ID in your analytics rules to enhance your analytics to fit your use cases and reduce false positives.
212
+
After you [enable and configure UEBA](enable-entity-behavior-analytics.md) for your Microsoft Sentinel workspace, data from your Microsoft identity providers is synchronized to the *IdentityInfo* table in Log Analytics for use in Microsoft Sentinel.
213
+
214
+
Those identity providers are either or both of the following, depending on which you selected when you configured UEBA:
215
+
216
+
- Microsoft Entra ID (cloud-based)
217
+
- Microsoft Active Directory (on-premises, requires Microsoft Defender for Identity))
218
+
219
+
You can query the *IdentityInfo* table in analytics rules, hunting queries, and workbooks, enhancing your analytics to fit your use cases and reducing false positives.
213
220
214
221
While the initial synchronization may take a few days, once the data is fully synchronized:
215
222
216
-
- Changes made to your user profiles, groups, and roles in Microsoft Entra ID are updated in the **IdentityInfo** table within 15-30 minutes.
223
+
- Every 14 days, Microsoft Sentinel re-synchronizes with your entire Microsoft Entra ID (and your on-premises Active Directory, if applicable) to ensure that stale records are fully updated.
224
+
225
+
- Besides these regular full synchronizations, whenever changes are made to your user profiles, groups, and built-in roles in Microsoft Entra ID, the affected user records are re-ingested and updated in the *IdentityInfo* table within 15-30 minutes. This ingestion is billed at regular rates. For example:
217
226
218
-
- Every 14 days, Microsoft Sentinel re-synchronizes with your entire Microsoft Entra ID to ensure that stale records are fully updated.
227
+
- A user attribute, such as display name, job title, or email address, was changed. A new record for this user is ingested into the *IdentityInfo* table, with the relevant fields updated.
219
228
220
-
- Default retention time in the **IdentityInfo** table is 30 days.
229
+
- Group A has 100 users in it. 5 users are added to the group or removed from the group. In this case, those 5 user records are re-ingested, and their *GroupMembership* fields updated.
230
+
231
+
- Group A has 100 users in it. Ten users are added to Group A. Also, groups A1 and A2, each with 10 users, are added to Group A. In this case, 30 user records are re-ingested and their *GroupMembership* fields updated. This happens because group membership is transitive, so changes to groups affect all their subgroups.
232
+
233
+
- Group B (with 50 users) is renamed to Group BeGood. In this case, 50 user records are re-ingested and their *GroupMembership* fields updated. If there are subgroups in that group, the same happens for all their members' records.
234
+
235
+
- Default retention time in the *IdentityInfo* table is 30 days.
221
236
222
237
#### Limitations
223
238
224
-
- Currently, only built-in roles are supported.
239
+
- The *AssignedRoles* field supports only built-in roles.
240
+
241
+
- The *GroupMembership* field supports listing up to 500 groups per user, including subgroups. If a user is a member of more than 500 groups, only the first 500 are synchronized with the *IdentityInfo* table. The groups are not evaluated in any particular order, though, so at each new synchronization (every 14 days), it's possible that a different set of groups will be updated to the user record.
225
242
226
-
-Data about deleted groups, where a user was removed from a group, is not currently supported.
243
+
-When a group is deleted, or if a group with more than 100 members has its name changed, that group's member user records are not updated. If a different change causes one of those users' records to be updated, the updated group information will be included at that point.
227
244
228
245
#### Versions of the IdentityInfo table
229
246
@@ -249,7 +266,7 @@ The following table describes the user identity data included in the **IdentityI
249
266
|**AccountTenantId**| string | The Microsoft Entra tenant ID of the user account. | -- |
250
267
|**AccountUPN**| string | The user principal name of the user account. | AccountUPN |
251
268
|**AdditionalMailAddresses**| dynamic | The additional email addresses of the user. | -- |
252
-
|**AssignedRoles**| dynamic | The Microsoft Entra roles the user account is assigned to. | AssignedRoles |
269
+
|**AssignedRoles**| dynamic | The Microsoft Entra roles the user account is assigned to. Only built-in roles are supported. | AssignedRoles |
253
270
|**BlastRadius**| string | A calculation based on the position of the user in the org tree and the user's Microsoft Entra roles and permissions. <br>Possible values: *Low, Medium, High*| -- |
254
271
|**ChangeSource**| string | The source of the latest change to the entity. <br>Possible values: <li>*AzureActiveDirectory*<li>*ActiveDirectory*<li>*UEBA*<li>*Watchlist*<li>*FullSync*| ChangeSource |
255
272
|**CompanyName**|| The company name to which the user belongs. | -- |
0 commit comments