Forum Discussion

Saran_Sarah_Hansakul's avatar
Saran_Sarah_Hansakul
MCT
May 13, 2025
Solved

Cannot use union * for Defender Hunting query to Create Detection Rule, so what other workarounds?

I tried to create custom detection rule from KQL query in Defender XDR: Advance Hunting by custom various variable to be able to submit, but for this query to be able to go through remediation settin...
alerts
incident management
microsoft defender for endpoint
threat hunting
  • Clive_Watson's avatar
    Clive_Watson
    May 13, 2025

    I'm sure this is because Sentinel excludes union * in the Logs blade within Sentinel (it will work outside Sentinel in similar looking logs blades, like in Log Analytics).  It was excluded for performance reasons for Detections, as you could be looking through 10's, 100s or more tables and the results may not come back in enough time for the next alert trigger.  More relevant for NRT or rules that trigger every 5mins. 
    Can you union by named Table (e.g. union IdentityInfo) or Join or lookup? 
    The screen shot you provided doesn't show the union * just a join.

jbmartin6's avatar
jbmartin6
Iron Contributor
May 13, 2025

This query works when I simply ran it in advanced hunting (slightly altered for my environment), when I tried to make a detection rule the system complained that it needs a recordID value in the query results to make a rule. So I can't explain how you got this error, presumably the query runs fine on your side as well.

  • Saran_Sarah_Hansakul's avatar
    Saran_Sarah_Hansakul
    MCT
    May 13, 2025

    OMG, I try creating detection rule again with "exactly" the same query and this time it is work! So, how come lol. Anyway, thank you so much!

Resources