Merge pull request #279101 from yelevin/patch-2

Updated service limits for alert enhancements

Author: v-ccolin

articles/sentinel/customize-alert-details.md

@@ -66,21 +66,21 @@ Follow the procedure detailed below to use the alert details feature. These step
 
     1. To override more default properties, select **+ Add new** and repeat the previous step. The following properties can be overridden:
 
-        |Name  |Description  |
-        |---------|---------|
-        |**AlertName**     |    String     |
-        |**Description**     | String        |
-        |**AlertSeverity**     | One of the following values: <br>- **Informational**<br>- **Low**<br>- **Medium**<br>- **High**        |
-        |**Tactics**     |    One of the following values: <br>- **Reconnaissance**<br>- **ResourceDevelopment**<br>- **InitialAccess**<br>-         **Execution**<br>        - **Persistence**<br>-        **PrivilegeEscalation**<br>-        **DefenseEvasion**<br>-        **CredentialAccess** <br>- **Discovery**<br>        - **LateralMovement**<br>-        **Collection**<br>-        **Exfiltration**<br>-        **CommandAndControl**<br>-        **Impact**<br> - **PreAttack**<br>- **ImpairProcessControl**<br>- **InhibitResponseFunction**     |
-        |**Techniques** (Preview)     | A string that matches the following regular expression: `^T(?<Digits>\d{4})$`. <br>For example: **T1234**        |
-        |**AlertLink** (Preview)     |  String       |
-        |**ConfidenceLevel** (Preview)     | One of the following values: <br>-  **Low**<br>- **High**<br>- **Unknown**      |
-        |**ConfidenceScore** (Preview)     | Integer, between **0**-**1** (inclusive)     |
-        |**ExtendedLinks** (Preview)     |  String       |
-        |**ProductComponentName** (Preview)     |   String      |
-        |**ProductName** (Preview)     |   String      |
-        |**ProviderName** (Preview)     |   String      |
-        |**RemediationSteps** (Preview)     |    String     |
+        | Name | Description |
+        | ---- | ----------- |
+        | **AlertName**                      | String |
+        | **Description**                    | String |
+        | **AlertSeverity**                  | One of the following values: <br>- **Informational**<br>- **Low**<br>- **Medium**<br>- **High** |
+        | **Tactics**                        | One of the following values: <br>- **Reconnaissance**<br>- **ResourceDevelopment**<br>- **InitialAccess**<br>- **Execution**<br>- **Persistence**<br>- **PrivilegeEscalation**<br>- **DefenseEvasion**<br>- **CredentialAccess**<br>- **Discovery**<br>- **LateralMovement**<br>- **Collection**<br>- **Exfiltration**<br>- **CommandAndControl**<br>- **Impact**<br>- **PreAttack**<br>- **ImpairProcessControl**<br>- **InhibitResponseFunction** |
+        | **Techniques** (Preview)           | A string that matches the following regular expression: `^T(?<Digits>\d{4})$`. <br>For example: **T1234** |
+        | **AlertLink** (Preview)            | String |
+        | **ConfidenceLevel** (Preview)      | One of the following values: <br>- **Low**<br>- **High**<br>- **Unknown** |
+        | **ConfidenceScore** (Preview)      | Integer, between **0**-**1** (inclusive) |
+        | **ExtendedLinks** (Preview)        | String |
+        | **ProductComponentName** (Preview) | String |
+        | **ProductName** (Preview)          | String |
+        | **ProviderName** (Preview)         | String |
+        | **RemediationSteps** (Preview)     | String |
 
     If you change your mind, or if you made a mistake, you can remove an alert detail by clicking the trash can icon next to the **Alert property/Value** pair, or delete the free text from the **Alert Name/Description Format** fields.
 
@@ -89,7 +89,10 @@ Follow the procedure detailed below to use the alert details feature. These step
    > [!NOTE]
    > 
    > **Service limits**
-   > - The combined size limit for all alert details and [custom details](surface-custom-details-in-alerts.md), collectively, is **64 KB**.
+   > - You can override a field with **up to 50 values**. Values past the 50th are dropped.
+   > - The size limit for the AlertName field, and any other non-collection properties, is **256 bytes**.
+   > - The size limit for the Description field, and any other collection properties, is **5 KB**.
+   > - Values exceeding the size limits are dropped.
 
 ## Next steps
 

articles/sentinel/sentinel-service-limits.md

@@ -23,8 +23,8 @@ The following limit applies to analytics rules in Microsoft Sentinel.
 | [Entity mappings](map-data-fields-to-entities.md) | 10 mappings per rule | None |
 | [Entities](map-data-fields-to-entities.md) identified per alert<br>(Divided equally among the mapped entities) | 500 entities per alert | None |
 | [Entities](map-data-fields-to-entities.md) cumulative size limit | 64 KB | None |
-| [Custom details](surface-custom-details-in-alerts.md)    | 20 details per rule | None |
-| [Custom details](surface-custom-details-in-alerts.md) and [alert details](customize-alert-details.md)<br>combined cumulative size limit | 64 KB | None |
+| [Custom details](surface-custom-details-in-alerts.md) | 20 details per rule<br>50 values per detail<br>2 KB cumulative size | None |
+| [Alert details](customize-alert-details.md) | 50 values per overridden field<br>5 KB per field for `Description` and collections<br>256 bytes per field for `AlertName` and non-collections | None |
 | Alerts per rule<br>Applicable when *Event grouping* is set to *Trigger an alert for each event* | 150 alerts | None |
 | Alerts per rule for NRT rules | 30 alerts | None |
 

articles/sentinel/surface-custom-details-in-alerts.md

@@ -60,9 +60,9 @@ The procedure detailed below is part of the analytics rule creation wizard. It's
     > [!NOTE]
     > 
     > **Service limits**
-    > - You can define **up to 20 custom details** in a single analytics rule.
+    > - You can define **up to 20 custom details** in a single analytics rule. Each custom detail can contain **up to 50 values**.
     >
-    > - The combined size limit for all custom details and [alert details](customize-alert-details.md), collectively, is **64 KB**.
+    > - The combined size limit for all custom details and their values in a single alert is **2 KB**. Values in excess of this limit are dropped.
 
 ## Next steps