Skip to content

Rate Limits on Event Search🔗

XDR employs rate limiting on events search to ensure consistent and optimum performance. This is an essential step to prevent the application from being overwhelmed by more requests than it can handle gracefully. Two kinds of rate limiting are employed:

  • Concurrent Running Query Unit Quotas — Restricts the number of query units that can simultaneously execute per tenant. Depending on the search being run, one or more query units could be executed. For example, running a logical type search would execute multiple query units. Presently, a maximum of 100 concurrent query units are allowed for each tenant.
  • Data Scan Limits — Manages the volume of data scanned during any query. Queries to the search database are restricted to a maximum scan limit of 10TB.

Rate limits help ensure a balanced distribution of resources to all users. If you often hit these limits and require a higher quota, please contact our support team so that we can review the situation with you and better understand your needs.