Sentinel-Automation icon indicating copy to clipboard operation
Sentinel-Automation copied to clipboard
verified publisher icon Bert-JanP

Issue with Sentinel Query

Open dutchboy007 opened this issue 8 months ago • 3 comments

Geting the below error while trying to run the Sentinel Query Assuming the use of union table to compare and retrive the data ?

Tried changing the schedule and startime... still..

Request is invalid and cannot be processed: Semantic error: CRT0015: Query complexity exceeded: the relational operators tree exceeded the limits.

dutchboy007 avatar Apr 27 '25 05:04 dutchboy007

Hi,

Can you share some context on what automation solution you are using and at which step the error is returned? Based on the schedule, I suspect one of the Logic Apps.

Bert-JanP avatar Apr 27 '25 13:04 Bert-JanP

you are right... its the logic apps error. here's a snapshot from it. I have added the error from the run query step

Image

Error log

{ "ResultStatus": "BadRequest", "Content": { "error": { "message": "The request had some invalid properties", "code": "BadArgumentError", "correlationId": "300bf953-fdf0-4de6-b1d1-8c3483e895e0", "innererror": { "code": "SyntaxError", "message": "Request is invalid and cannot be processed: Semantic error: CRT0015: Query complexity exceeded: the relational operators tree exceeded the limits." } } }, "Message": "Failed to get HTTP response because of invalid input (DRAFT, visualizeQuery). Bad request input. Please Check user input parameters (query syntax, chart type or other resource input)\r\nclientRequestId: 882e71f3-af5a-4de9-9720-21c6bd1cc780" }

dutchboy007 avatar Apr 29 '25 09:04 dutchboy007

Thanks for sharing, this is related to the Report-NewTableActionFound Logic App.

Can you execute the KQL below in your Sentinel tenant and share the results?

let TimeFrame = 180d;
let Schedule = 7d;
let KnownActions = union *
| where TimeGenerated between (startofday(ago(TimeFrame)) .. startofday(ago(Schedule))) 
| extend Action = coalesce(Operation, OperationName, OperationNameValue, ActionType, tostring(EventID))
| where isnotempty(Action)
| distinct Action;
union *
| where TimeGenerated > startofday(ago(Schedule)) 
| extend Action = coalesce(Operation, OperationName, OperationNameValue, ActionType, tostring(EventID))
| where isnotempty(Action) and Action !in (KnownActions)
| distinct Type, Action
| project-rename DataType = Type
| sort by DataType, Action

My first assumption is that is goes bad on the line below, based on the output of the Sentinel execution, we can further resolve the issue.

| extend Action = coalesce(Operation, OperationName, OperationNameValue, ActionType, tostring(EventID))

Bert-JanP avatar Apr 29 '25 18:04 Bert-JanP

Image

dutchboy007 avatar May 27 '25 05:05 dutchboy007

Thanks for sharing. It seems that the tenant you have contains more data than the query can handle. Just to confirm if you change the TimeFrame 90 or 30 days, does the query successfully run?

Bert-JanP avatar May 29 '25 08:05 Bert-JanP