EricL.25633 (Customer) asked a question.
Syslog Rate Limits with Azure Sentinel
We keep running into rate limit warnings for syslog with Azure Sentinel. This is currently the only thing that is querying syslog, so the warnings are definitely from Azure Sentinel.
Any advice on how to avoid these with Azure Sentinel? Perhaps there is a connection aggregation feature since all the data is being pulled into a single data source. I'd think for the most part these queries could be set for query every X minutes for all new data which seems like it certainly avoid any kind of rate limit thresholds.
The rate limit warnings are totally dependent on how many requests the SIEM platform does against Okta. A solution would be, as you suggested, to query specific events every X minutes but this is something that has to be modified only on the SIEM platform side.
Another option would be to apply for a permanent rate limit increase but you would need to open a case with Support in order to investigate if this would resolve the issue or not.
Before opening the case, make sure that you gather all the information from the following article.
https://support.okta.com/help/s/article/How-can-we-request-to-have-the-rate-limit-for-our-org-temporarily-increased
Thank You,
Cosmin Prahoveanu
Technical Support Engineer
Okta Global Customer Care