Merge pull request #248812 from yelevin/yelevin-patch-2

prmerger-automator[bot] · web-flow · commit 4a87d0a5bac5 · 2023-08-21T08:31:57.000Z
Removed restrictions on using unions and joins in NRT queries
diff --git a/articles/sentinel/create-nrt-rules.md b/articles/sentinel/create-nrt-rules.md
@@ -42,7 +42,7 @@ You create NRT rules the same way you create regular [scheduled-query analytics
 
     The configuration of NRT rules is in most ways the same as that of scheduled analytics rules. 
 
-    - You can refer to [**watchlists**](watchlists.md) in your query logic.
+    - You can refer to multiple tables and [**watchlists**](watchlists.md) in your query logic.
 
     - You can use all of the alert enrichment methods: [**entity mapping**](map-data-fields-to-entities.md), [**custom details**](surface-custom-details-in-alerts.md), and [**alert details**](customize-alert-details.md).
 
@@ -58,8 +58,6 @@ You create NRT rules the same way you create regular [scheduled-query analytics
 
     In addition, the query itself has the following requirements:
 
-    - The query itself can refer to only one table, and cannot contain unions or joins.
-
     - You can't run the query across workspaces.
 
     - Due to the size limits of the alerts, your query should make use of `project` statements to include only the necessary fields from your table. Otherwise, the information you want to surface could end up being truncated.
diff --git a/articles/sentinel/near-real-time-rules.md b/articles/sentinel/near-real-time-rules.md
@@ -37,11 +37,7 @@ The following limitations currently govern the use of NRT rules:
 
     (Since the NRT rule type is supposed to approximate **real-time** data ingestion, it doesn't afford you any advantage to use NRT rules on log sources with significant ingestion delay, even if it's far less than 12 hours.)
 
-1. As this type of rule is new, its syntax is currently limited but will gradually evolve. Therefore, at this time the following restrictions are in effect:
-
-    1. The query defined in an NRT rule can reference **only one table**. Queries can, however, refer to multiple watchlists.
-
-    1. You cannot use unions or joins.
+1. The syntax for this type of rule is gradually evolving. At this time the following limitations remain in effect:
 
     1. Because this rule type is in near real time, we have reduced the built-in delay to a minimum (two minutes).
 
@@ -51,6 +47,8 @@ The following limitations currently govern the use of NRT rules:
 
     1. Event grouping is now configurable to a limited degree. NRT rules can produce up to 30 single-event alerts. A rule with a query that results in more than 30 events will produce alerts for the first 29, then a 30th alert that summarizes all the applicable events.
 
+    1. Queries defined in an NRT rule can now reference **more than one table**.
+
 ## Next steps
 
 In this document, you learned how near-real-time (NRT) analytics rules work in Microsoft Sentinel.
