Forum Discussion
Solved
Azure Sentinel - analytic rule will be disabled
HI All, I received a very odd message from MS today: You are have an analytic rule that violates the Azure Sentinel guidelines (uses “union *” in the query). This rule will be disabled since it fa...
- This is noted here, source: https://learn.microsoft.com/en-us/azure/sentinel/detect-threats-custom
"Rule query best practices:
The query length should be between 1 and 10,000 characters and cannot contain "search *" or "union *". You can use user-defined functions to overcome the query length limitation."
Reading between the lines it's not the "union *" that's the issue, it's that when the "*" expands you have so many table space names that it exceeds 10,000 characters. You may need to split it with something like "union A* | union a*" or similar.