Forum Discussion
Azure Sentinel - analytic rule will be disabled
HI All,
I received a very odd message from MS today:
You are have an analytic rule that violates the Azure Sentinel guidelines (uses “union *” in the query).
This rule will be disabled since it failed to run.
The disabled rule name and description will be changed (AUTO DISABLED will be added to it)
''The query length should be between 1 and 10,000 characters and cannot contain “search *” or “union *”.”
It means I am not allowed to have the following line in my query:
union withsource=TableName1 *
Anyone came acrossed it before?
Many Thanks
- This is noted here, source: https://learn.microsoft.com/en-us/azure/sentinel/detect-threats-custom
"Rule query best practices:
The query length should be between 1 and 10,000 characters and cannot contain "search *" or "union *". You can use user-defined functions to overcome the query length limitation."
3 Replies
- This is noted here, source: https://learn.microsoft.com/en-us/azure/sentinel/detect-threats-custom
"Rule query best practices:
The query length should be between 1 and 10,000 characters and cannot contain "search *" or "union *". You can use user-defined functions to overcome the query length limitation." - Could you please share what is your role in the tenant so you receive those type of messages?
Reading between the lines it's not the "union *" that's the issue, it's that when the "*" expands you have so many table space names that it exceeds 10,000 characters. You may need to split it with something like "union A* | union a*" or similar.
