cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Azure Sentinel - analytic rule will be disabled

serg19
Copper Contributor

‎Sep 29 2020 12:52 PM

‎Sep 29 2020 12:52 PM

Azure Sentinel - analytic rule will be disabled

HI All,

I received a very odd message from MS today:

You are have an analytic rule that violates the Azure Sentinel guidelines (uses “union *” in the query).
This rule will be disabled since it failed to run.
The disabled rule name and description will be changed (AUTO DISABLED will be added to it)
''The query length should be between 1 and 10,000 characters and cannot contain “search *” or “union *”.” 

It means I am not allowed to have the following line in my query:
union withsource=TableName1 *
Anyone came acrossed it before?

Many Thanks

4,938 Views
0 Likes
3 Replies
Reply
3 Replies
JKatzmandu

‎Sep 30 2020 02:13 AM

‎Sep 30 2020 02:13 AM

Re: Azure Sentinel - analytic rule will be disabled

@serg19 

 

Reading between the lines it's not the "union *" that's the issue, it's that when the "*" expands you have so many table space names that it exceeds 10,000 characters. You may need to split it with something like "union A* | union a*" or similar.

1 Like
Reply
LiliaF

‎Dec 15 2022 01:09 AM

‎Dec 15 2022 01:09 AM

Re: Azure Sentinel - analytic rule will be disabled

Could you please share what is your role in the tenant so you receive those type of messages?
0 Likes
Reply
best response confirmed by GBushey (Microsoft)
Clive_Watson

‎Dec 15 2022 01:23 AM

‎Dec 15 2022 01:23 AM

Solution

Re: Azure Sentinel - analytic rule will be disabled

This is noted here, source: https://learn.microsoft.com/en-us/azure/sentinel/detect-threats-custom

"Rule query best practices:

The query length should be between 1 and 10,000 characters and cannot contain "search *" or "union *". You can use user-defined functions to overcome the query length limitation."
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by GBushey (Microsoft)
Clive_Watson

‎Dec 15 2022 01:23 AM

‎Dec 15 2022 01:23 AM

Solution

Re: Azure Sentinel - analytic rule will be disabled

This is noted here, source: https://learn.microsoft.com/en-us/azure/sentinel/detect-threats-custom

"Rule query best practices:

The query length should be between 1 and 10,000 characters and cannot contain "search *" or "union *". You can use user-defined functions to overcome the query length limitation."

View solution in original post

0 Likes
Reply