What Changed
Microsoft Sentinel documentation now includes “Known Issue #10” covering the Azure Monitor Logs Ingestion API 64 KB per-field size limit that affects all data connectors using Data Collection Rules (DCRs).
Security Impact (Visibility & Fidelity)
This documentation addresses a significant data fidelity gap: fields containing large payloads such as ScriptContentBytes, CommandLine, RequestBody, or encoded content are silently truncated at 64 KB with no error or warning surfaced to users.
The impact creates detection blind spots where:
- Incomplete command line arguments may hide malicious parameters beyond the 64 KB boundary
- Truncated script content prevents full payload analysis for threat hunting
- Large request bodies in web traffic analysis lose critical attack vectors
- Any detection logic depending on complete field values will operate on partial data
Operational Guidance
The documentation provides SOC teams with:
- Clarification that DCRLogErrors table will not show truncation events (silent failure)
- KQL heuristic using strlen() approximation to identify potentially affected records
- Source system mitigation strategies (field splitting, payload summarization)
- Platform limitation acknowledgment with reference to Azure Monitor service limits
This is a documentation-only change with no code modifications to connector logic.
Affected Files
Solutions/known_issues.md