Forum Discussion
Cannot use union * for Defender Hunting query to Create Detection Rule, so what other workarounds?
I'm sure this is because Sentinel excludes union * in the Logs blade within Sentinel (it will work outside Sentinel in similar looking logs blades, like in Log Analytics). It was excluded for performance reasons for Detections, as you could be looking through 10's, 100s or more tables and the results may not come back in enough time for the next alert trigger. More relevant for NRT or rules that trigger every 5mins.
Can you union by named Table (e.g. union IdentityInfo) or Join or lookup?
The screen shot you provided doesn't show the union * just a join.
I'm sure this is because Sentinel excludes union * in the Logs blade within Sentinel (it will work outside Sentinel in similar looking logs blades, like in Log Analytics). It was excluded for performance reasons for Detections, as you could be looking through 10's, 100s or more tables and the results may not come back in enough time for the next alert trigger. More relevant for NRT or rules that trigger every 5mins.
Can you union by named Table (e.g. union IdentityInfo) or Join or lookup?
The screen shot you provided doesn't show the union * just a join.
I just noticed that join is not union as you said. And surprisingly, even normal union or union * now seems to be able to create detection rule, unlink what people said about what it is in Sentinel Logs. Thank you so much! But I swear in the afternoon with this same query, there was error as shown in the pic even many times I tried. ><
