Merge pull request #290755 from yelevin/patch-2

prmerger-automator[bot] · web-flow · commit 36b39ed70b8f · 2024-11-20T10:20:43.000Z
Added cross-workspace support
diff --git a/articles/sentinel/create-nrt-rules.md b/articles/sentinel/create-nrt-rules.md
@@ -80,17 +80,15 @@ You create NRT rules the same way you create regular [scheduled-query analytics
 
     - You can automate responses to both alerts and incidents.
 
+    - You can run the rule query across multiple workspaces.
+
     Because of the [**nature and limitations of NRT rules**](near-real-time-rules.md#considerations), however, the following features of scheduled analytics rules will *not be available* in the wizard:
 
     - **Query scheduling** is not configurable, since queries are automatically scheduled to run once per minute with a one-minute lookback period. 
     - **Alert threshold** is irrelevant, since an alert is always generated.
     - **Event grouping** configuration is now available to a limited degree. You can choose to have an NRT rule generate an alert for each event for up to 30 events. If you choose this option and the rule results in more than 30 events, single-event alerts will be generated for the first 29 events, and a 30th alert will summarize all the events in the result set.
 
-    In addition, the query itself has the following requirements:
-
-    - You can't run the query across workspaces.
-
-    - Due to the size limits of the alerts, your query should make use of `project` statements to include only the necessary fields from your table. Otherwise, the information you want to surface could end up being truncated.
+    In addition, due to the size limits of the alerts, your query should make use of `project` statements to include only the necessary fields from your table. Otherwise, the information you want to surface could end up being truncated.
 
 ## Next steps
 
diff --git a/articles/sentinel/near-real-time-rules.md b/articles/sentinel/near-real-time-rules.md
@@ -41,7 +41,7 @@ The following limitations currently govern the use of NRT rules:
 
     - Since NRT rules use the ingestion time rather than the event generation time (represented by the TimeGenerated field), you can safely ignore the data source delay and the ingestion time latency (see above).
 
-    - Queries can run only within a single workspace. There is no cross-workspace capability.
+    - Queries can now run across multiple workspaces.
 
     - Event grouping is now configurable to a limited degree. NRT rules can produce up to 30 single-event alerts. A rule with a query that results in more than 30 events will produce alerts for the first 29, then a 30th alert that summarizes all the applicable events.
 
