Sep 29 2020 12:52 PM
HI All,
I received a very odd message from MS today:
You are have an analytic rule that violates the Azure Sentinel guidelines (uses “union *” in the query).
This rule will be disabled since it failed to run.
The disabled rule name and description will be changed (AUTO DISABLED will be added to it)
''The query length should be between 1 and 10,000 characters and cannot contain “search *” or “union *”.”
It means I am not allowed to have the following line in my query:
union withsource=TableName1 *
Anyone came acrossed it before?
Many Thanks
Sep 30 2020 02:13 AM
Reading between the lines it's not the "union *" that's the issue, it's that when the "*" expands you have so many table space names that it exceeds 10,000 characters. You may need to split it with something like "union A* | union a*" or similar.
Dec 15 2022 01:09 AM
Dec 15 2022 01:23 AM
SolutionDec 15 2022 01:23 AM
Solution