You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Not necessarily by design, more of a limitation of the Threat Hunter search.
Technically TH can return 100k total session/sequence results, but underneath that total limit it appears that there is a 60k user session limit and then a 10k sequence limit.
Asset timelines are a sequence and are hitting that limit.
We can't know before running a TH search if we'll hit the 10k limit so we could build in a check that if it returns exactly 10k results, to break up the TH search into multiple days, combine the results, and dedupe.
This is a good idea, I'll keep this open while I look into this.
All Triggered Asset Rules only show first 10,000 results. I assume this is by design?
The text was updated successfully, but these errors were encountered: