Azure Sentinel - analytic rule will be disabled

%3CLINGO-SUB%20id%3D%22lingo-sub-1726231%22%20slang%3D%22en-US%22%3EAzure%20Sentinel%20-%20analytic%20rule%20will%20be%20disabled%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1726231%22%20slang%3D%22en-US%22%3E%3CP%3EHI%20All%2C%3C%2FP%3E%3CP%3EI%20received%20a%20very%20odd%20message%20from%20MS%20today%3A%3C%2FP%3E%3CP%3E%3CSTRONG%3E%3CEM%3EYou%20are%20have%20an%20analytic%20rule%20that%20violates%20the%20Azure%20Sentinel%20guidelines%20(uses%20%E2%80%9Cunion%20*%E2%80%9D%20in%20the%20query).%3C%2FEM%3E%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E%3CEM%3EThis%20rule%20will%20be%20disabled%20since%20it%20failed%20to%20run.%3C%2FEM%3E%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E%3CEM%3EThe%20disabled%20rule%20name%20and%20description%20will%20be%20changed%20(AUTO%20DISABLED%20will%20be%20added%20to%20it)%3C%2FEM%3E%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E%3CEM%3E''The%20query%20length%20should%20be%20between%201%20and%2010%2C000%20characters%20and%20cannot%20contain%20%E2%80%9Csearch%20*%E2%80%9D%20or%20%E2%80%9Cunion%20*%E2%80%9D.%E2%80%9D%26nbsp%3B%3C%2FEM%3E%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EIt%20means%20I%20am%20not%20allowed%20to%20have%20the%20following%20line%20in%20my%20query%3A%3CBR%20%2F%3Eunion%26nbsp%3Bwithsource%3DTableName1%20*%3CBR%20%2F%3EAnyone%20came%20acrossed%20it%20before%3F%3C%2FP%3E%3CP%3EMany%20Thanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1728131%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20-%20analytic%20rule%20will%20be%20disabled%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1728131%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F557975%22%20target%3D%22_blank%22%3E%40serg19%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EReading%20between%20the%20lines%20it's%20not%20the%20%22union%20*%22%20that's%20the%20issue%2C%20it's%20that%20when%20the%20%22*%22%20expands%20you%20have%20so%20many%20table%20space%20names%20that%20it%20exceeds%2010%2C000%20characters.%20You%20may%20need%20to%20split%20it%20with%20something%20like%20%22union%20A*%20%7C%20union%20a*%22%20or%20similar.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Senior Member

HI All,

I received a very odd message from MS today:

You are have an analytic rule that violates the Azure Sentinel guidelines (uses “union *” in the query).
This rule will be disabled since it failed to run.
The disabled rule name and description will be changed (AUTO DISABLED will be added to it)
''The query length should be between 1 and 10,000 characters and cannot contain “search *” or “union *”.” 

It means I am not allowed to have the following line in my query:
union withsource=TableName1 *
Anyone came acrossed it before?

Many Thanks

1 Reply

@serg19 

 

Reading between the lines it's not the "union *" that's the issue, it's that when the "*" expands you have so many table space names that it exceeds 10,000 characters. You may need to split it with something like "union A* | union a*" or similar.