Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

All Triggered Asset Rules only show first 10,000 results #4

Open
samer-faour-exa opened this issue Apr 12, 2021 · 1 comment
Open

All Triggered Asset Rules only show first 10,000 results #4

samer-faour-exa opened this issue Apr 12, 2021 · 1 comment
Assignees
@jdifeder

Comments

@samer-faour-exa
Copy link

All Triggered Asset Rules only show first 10,000 results. I assume this is by design?
@jdifeder
Copy link
Owner

Not necessarily by design, more of a limitation of the Threat Hunter search.
Technically TH can return 100k total session/sequence results, but underneath that total limit it appears that there is a 60k user session limit and then a 10k sequence limit.
Asset timelines are a sequence and are hitting that limit.

We can't know before running a TH search if we'll hit the 10k limit so we could build in a check that if it returns exactly 10k results, to break up the TH search into multiple days, combine the results, and dedupe.

This is a good idea, I'll keep this open while I look into this.

@jdifeder jdifeder self-assigned this Apr 14, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jdifeder jdifeder

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jdifeder @samer-faour-exa