Forum Discussion
Solved
Azure Sentinel - analytic rule will be disabled
HI All, I received a very odd message from MS today: You are have an analytic rule that violates the Azure Sentinel guidelines (uses “union *” in the query). This rule will be disabled since it fa...
- This is noted here, source: https://learn.microsoft.com/en-us/azure/sentinel/detect-threats-custom
"Rule query best practices:
The query length should be between 1 and 10,000 characters and cannot contain "search *" or "union *". You can use user-defined functions to overcome the query length limitation."
Could you please share what is your role in the tenant so you receive those type of messages?