cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community
Find out more
SOLVED

Kusto query

Bhavini
Copper Contributor

‎Sep 29 2023 08:55 AM

‎Sep 29 2023 08:55 AM

Kusto query

I am using below query in analytics rule and it is giving error "Query returned more than one result set. Only one result set is supported per rule". Please suggest.

 

Query:

let IP = (_GetWatchlist('PaloAltoDevice')
| project SearchKey);
let starttime = 10d;
let endtime = 1d;
let threshold = 500;
let nxDomainDnsEvents = DnsEvents;
workspace("787d7230-15d6-4e95-b2d6-b38fd004fd0e").DnsEvents
|union workspace("c876584a-693c-422b-9755-5d2a53e93def").DnsEvents
    | where ResultCode == 3
    | where QueryType in ("A", "AAAA")
    | where ipv4_is_match("127.0.0.1", ClientIP) == False
    | where Name !contains "/"
    | where Name contains ".";
nxDomainDnsEvents
| where TimeGenerated > ago(endtime)
| extend sld = tostring(split(Name, ".")[-2])
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by ClientIP
| where dcount_sld > threshold
// Filter out previously seen IPs
| join kind=leftanti (nxDomainDnsEvents
    | where TimeGenerated between(ago(starttime) .. ago(endtime))
    | extend sld = tostring(split(Name, ".")[-2])
    | summarize dcount(sld) by ClientIP
    | where dcount_sld > threshold)
    on ClientIP
// Pull out sample NXDomain responses for those remaining potentially infected IPs
| join kind = inner (nxDomainDnsEvents
    | summarize by Name, ClientIP)
    on ClientIP
| summarize
    StartTimeUtc = min(StartTimeUtc),
    EndTimeUtc = max(EndTimeUtc),
    sampleNXDomainList=make_list(Name, 100)
    by ClientIP, dcount_sld
| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP
| where ClientIP !in (IP)
 
Error Screenshot:
 
Bhavini_0-1696002892554.png

 

Labels:
637 Views
0 Likes
2 Replies
Reply
2 Replies
best response confirmed by Bhavini (Copper Contributor)
GBushey

‎Oct 03 2023 12:01 PM

‎Oct 03 2023 12:01 PM

Solution

Re: Kusto query

Looks like the line starting with "workspace" will return one result set while the line starting with "nxDomainDnsEvents" returns another. Did you mean to set up the first one as temp table?
0 Likes
Reply
Bhavini

‎Oct 03 2023 12:19 PM

‎Oct 03 2023 12:19 PM

Re: Kusto query

Yes. Previously, it was working fine. But by using cross workspace query, I started getting this error message.
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Bhavini (Copper Contributor)
GBushey

‎Oct 03 2023 12:01 PM

‎Oct 03 2023 12:01 PM

Solution

Re: Kusto query

Looks like the line starting with "workspace" will return one result set while the line starting with "nxDomainDnsEvents" returns another. Did you mean to set up the first one as temp table?

View solution in original post

0 Likes
Reply