Merge pull request #245116 from yelevin/docs-editor/map-data-fields-to-entities-1689594566

prmerger-automator[bot] · web-flow · commit 527050290cb3 · 2023-07-23T20:04:12.000Z
Replacing public repo PR "Update limitations on entity mappings #111671"
diff --git a/articles/sentinel/includes/sentinel-limits-analytics-rules.md b/articles/sentinel/includes/sentinel-limits-analytics-rules.md
@@ -16,7 +16,10 @@ The following limit applies to analytics rules in Microsoft Sentinel.
 | --------- | --------- | --------- |
 | Number of *enabled* rules     | 512 rules       | None |
 | Number of near-real-time (NRT) rules | 50 NRT rules | None |
+| Entity mappings | 10 mappings per rule | None |
+| Entities identified per alert<br>(Divided equally among the mapped entities) | 500 entities per alert | None |
+| Entities cumulative size limit | 64 KB | None |
 | Custom details    | 20 details per rule | None |
 | Custom details cumulative size limit | 2 KB | None |
 | Alerts per rule<br>Applicable when *Event grouping* is set to *Trigger an alert for each event* | 150 alerts | None |
-| Alerts per rule for NRT rules | 30 alerts | None |
+| Alerts per rule for NRT rules | 30 alerts | None |
diff --git a/articles/sentinel/map-data-fields-to-entities.md b/articles/sentinel/map-data-fields-to-entities.md
@@ -38,23 +38,24 @@ The procedure detailed below is part of the analytics rule creation wizard. It's
 
 1. Select an **identifier** for the entity. Identifiers are attributes of an entity that can sufficiently identify it. Choose one from the **Identifier** drop-down list, and then choose a data field from the **Value** drop-down list that will correspond to the identifier. With some exceptions, the **Value** list is populated by the data fields in the table defined as the subject of the rule query.
 
-    You can define **up to three identifiers** for a given entity. Some identifiers are required, others are optional. You must choose at least one required identifier. If you don't, a warning message will instruct you which identifiers are required. For best results - for maximum unique identification - you should use **strong identifiers** whenever possible, and using multiple strong identifiers will enable greater correlation between data sources. See the full list of available [entities and identifiers](entities-reference.md).
+    You can define **up to three identifiers** for a given entity mapping. Some identifiers are required, others are optional. You must choose at least one required identifier. If you don't, a warning message will instruct you which identifiers are required. For best results&mdash;for maximum unique identification&mdash;you should use **strong identifiers** whenever possible, and using multiple strong identifiers will enable greater correlation between data sources. See the full list of available [entities and identifiers](entities-reference.md).
 
     :::image type="content" source="media/map-data-fields-to-entities/map-entities.png" alt-text="Map fields to entities":::
 
-1. Click **Add new entity** to map more entities. You can map **up to five entities** in a single analytics rule. You can also map more than one of the same type. For example, you can map two **IP** entities, one from a *source IP address* field and one from a *destination IP address* field. This way you can track them both.
+1. Select **Add new entity** to map more entities. You can define **up to ten entity mappings** in a single analytics rule. You can also map more than one of the same type. For example, you can map two **IP** entities, one from a *source IP address* field and one from a *destination IP address* field. This way you can track them both.
 
     If you change your mind, or if you made a mistake, you can remove an entity mapping by clicking the trash can icon next to the entity drop-down list.
 
 1. When you have finished mapping entities, click the **Review and create** tab. Once the rule validation is successful, click **Save**.
 
 > [!NOTE]
-> - **Each mapped entity can identify *up to ten entities***.  
->   - If an alert contains more than ten items that correspond to a single entity mapping, only the first ten will be recognized as entities and be able to be analyzed as such.
->   - This limitation applies to actual mappings, not to entity types. So if you have three different mapped entities for IP addresses (say, source, destination, and gateway), each of those mappings can accommodate ten entities.
+> - ***Up to 500 entities collectively* can be identified in a single alert, divided equally across all entity mappings defined in the rule**.
+>   - For example, if two entity mappings are defined in the rule, each mapping can identify up to 250 entities; if five mappings are defined, each one can identify up to 100 entities, and so on.
+>   - Multiple mappings of a single entity type (say, source IP and destination IP) each count separately.
+>   - If an alert contains items in excess of this limit, those excess items will not be recognized and extracted as entities.
 >
-> - **The size limit for an entire alert is *64 KB***.
->   - Alerts that grow larger than 64 KB will be truncated. As entities are identified, they are added to the alert one by one until the alert size reaches 64 KB, and any remaining entities are dropped from the alert.
+> - **The size limit for the entire *entities* area of an alert (the *Entities* field) is *64 KB***.
+>   - *Entities* fields that grow larger than 64 KB will be truncated. As entities are identified, they are added to the alert one by one until the field size reaches 64 KB, and any entities yet unidentified are dropped from the alert.
 
 ## Notes on the new version
 
@@ -68,3 +69,6 @@ In this document, you learned how to map data fields to entities in Microsoft Se
 
 - Get the complete picture on [scheduled query analytics rules](detect-threats-custom.md).
 - Learn more about [entities in Microsoft Sentinel](entities.md).
+
+
+
diff --git a/articles/sentinel/whats-new.md b/articles/sentinel/whats-new.md
@@ -24,13 +24,25 @@ See these [important announcements](#announcements) about recent changes to feat
 
 ## July 2023
 
+- [Higher limits for entities in alerts and entity mappings in analytics rules](#higher-limits-for-entities-in-alerts-and-entity-mappings-in-analytics-rules)
 - Announcement: [Changes to Microsoft Defender for Office 365 connector alerts that apply when disconnecting and reconnecting](#changes-to-microsoft-defender-for-office-365-connector-alerts-that-apply-when-disconnecting-and-reconnecting)
 - [Content Hub generally available and centralization changes released](#content-hub-generally-available-and-centralization-changes-released)
 - [Deploy incident response playbooks for SAP](#deploy-incident-response-playbooks-for-sap)
 - [Microsoft Sentinel solution for D365 Finance and Operations (Preview)](#microsoft-sentinel-solution-for-d365-finance-and-operations-preview)
 - [Simplified pricing tiers](#simplified-pricing-tiers) in [Announcements](#announcements) section below
 - [Monitor and optimize the execution of your scheduled analytics rules (Preview)](#monitor-and-optimize-the-execution-of-your-scheduled-analytics-rules-preview)
 
+### Higher limits for entities in alerts and entity mappings in analytics rules
+
+The following limits on entities in alerts and entity mappings in analytics rules have been raised:
+- You can now define **up to ten entity mappings** in an analytics rule (up from five).
+- A single alert can now contain **up to 500 identified entities** in total, divided equally amongst the mapped entities.
+- The *Entities* field in the alert has a **size limit of 64 KB**. (This size limit previously applied to the entire alert record.)
+
+Learn more about entity mapping, and see a full description of these limits, in [Map data fields to entities in Microsoft Sentinel](map-data-fields-to-entities.md).
+
+Learn about other [service limits in Microsoft Sentinel](sentinel-service-limits.md).
+
 ### Content Hub generally available and centralization changes released
 
 Content hub is now generally available (GA)! The [content hub centralization changes announced in February](#out-of-the-box-content-centralization-changes) have also been released. For more information on these changes and their impact, including more details about the tool provided to reinstate **IN USE** gallery templates, see [Out-of-the-box (OOTB) content centralization changes](sentinel-content-centralize.md). 
