Forum Discussion
Cannot use union * for Defender Hunting query to Create Detection Rule, so what other workarounds?
I'm sure this is because Sentinel excludes union * in the Logs blade within Sentinel (it will work outside Sentinel in similar looking logs blades, like in Log Analytics). It was excluded for performance reasons for Detections, as you could be looking through 10's, 100s or more tables and the results may not come back in enough time for the next alert trigger. More relevant for NRT or rules that trigger every 5mins.
Can you union by named Table (e.g. union IdentityInfo) or Join or lookup?
The screen shot you provided doesn't show the union * just a join.
I'm sure this is because Sentinel excludes union * in the Logs blade within Sentinel (it will work outside Sentinel in similar looking logs blades, like in Log Analytics). It was excluded for performance reasons for Detections, as you could be looking through 10's, 100s or more tables and the results may not come back in enough time for the next alert trigger. More relevant for NRT or rules that trigger every 5mins.
Can you union by named Table (e.g. union IdentityInfo) or Join or lookup?
The screen shot you provided doesn't show the union * just a join.