1

I intend to design rule templates for Microsoft Sentinel using KQL for different instances. The workspaces have various log sources, so different tables.

Some detectoins can be made using different log sources, so different tables. For example for Logons, using SigninLogs for Azure AD and SecurityEvent.

I've designed my query as such:

          let AD_Rule = SecurityEvent
          | where ...
          let AAD_Rule = SigninLogs
          | where ...
          union isfuzzy=true AD_Rule, AAD_Rule

Problem: sometimes, one workspace has SecurityEvent and sometimes not. Pushing rule into the latter yields:

Status Message: Failed to run the analytics rule query. One of the tables does not exist. (Code:BadRequest)

How can I force my KQL to return an empty result instead of failing if one of the table is missing?

moutonjr
  • 223
  • 1
  • 3
  • 17

1 Answers1

0

(The error message you've included doesn't come from the Kusto backend, so please take the following with a grain of salt)

if you know a minimal subset of the schema you plan to get in the response, you can union with an empty datatable that has that schema.

for example:

union isfuzzy = true 
   NonExistingTable1,
   NonExistingTable2,
   (datatable(col_1:string, col_2:int)[])
Yoni L.
  • 22,627
  • 2
  • 29
  • 48