Co-author: Jeremy Tan
As a security analyst who actively hunts for critical threats, one of the most frustrating things that can happen is hitting a limit mid-query or encounter an experience that doesn’t behave as expected. The resulting friction and time spent troubleshooting or navigating takes valuable focus away from the investigation itself.
To address this, we’ve made several enhancements across the experience to ensure investigations can scale seamlessly so analysts can stay focused on finding and stopping threats without interruption. These updates are based on your feedback and our commitment to continually improve the experience for analysts and customers alike.
Scaling Investigations with Expanded Limits
We’ve made several enhancements across the experience to expand limits and better support large-scale investigations so analysts can query, explore, and act on more data with fewer constraints.
Results limitation increase (Preview)
We have heard your feedback on the need for larger data sets and are excited to announce that the results limitation in advanced hunting has been raised from 30,000 to 100,000 records. Now, queries returning up to 100,000 results will display all available data. If a query exceeds this threshold, results are truncated as before, but the increase allows for more comprehensive analysis and improved incident response.
Records limitation picker (Preview)
One common challenge in advanced hunting has been the risk of running queries that return overwhelming result sets, consuming excessive resources and potentially hitting system limits. The new records limitation picker addresses this by allowing you to explicitly set how many rows a query should return, directly from the editor toolbar.
- Choose from predefined limits: 1,000, 5,000, or 10,000, 30,000 and 100,000 rows.
- Select the maximum system limit (currently 100,000 records).
- Define a custom value as needed.
- The selected limit applies alongside any KQL-defined row limitations, with the lower value always taking precedence.
- Your choice persists across page refreshes, navigation, and browser restarts.
- By default, tenants start at the maximum row limit, but you can tailor your selection via page preferences.
This enhancement greatly improves performance and prevents unexpected limitations, making hunting safer and more efficient.
Partial results on size limit (GA)
Previously, queries that exceeded the 64 mb results size limit would fail outright, forcing analysts to modify their queries and rerun them. With the latest update, partial results are now provided when the size limit is reached:
- Queries return the maximum records that fit within the 64 MB cap.
- A clear message bar indicates when results are partial due to size constraints.
- This allows you to act on available data immediately, without repeating query adjustments.
This improvement speeds up investigations and provides valuable data even in scenarios where limits are reached.
Enhanced UI for Faster, More Intuitive Investigations
We’ve made significant enhancements to the user experience delivering a more streamlined interface that helps analysts move through incidents with greater clarity, act with confidence, and spend less time searching and more time responding.
Hear from one of our customers:
“The recent updates to the Defender Advanced Hunting experience have gone a long way toward decluttering the interface and lowering the barrier for analysts and engineers who were previously more comfortable working exclusively in Microsoft Sentinel in the Azure portal.
By simplifying navigation, reducing unnecessary visual noise, and adding pinnable tabs, the XDR portal now feels more familiar. This usability improvement has helped shift long-standing Sentinel users toward the XDR experience without forcing a change in how teams think about their data or workflows.”
-Matt McCullogh, Senior SIEM Engineer, Best Buy
Query details side pane: enhanced visibility and troubleshooting (GA)
Understanding query execution and troubleshooting errors has often required tedious trial and error. The new query execution details side pane surfaces rich, actionable metadata for every query—successful or failed. With this feature, you can:
- View execution time breakdowns, data sources, scopes, and resource utilization.
- Examine response characteristics and detailed error information.
- Navigate tabs such as overview, raw statistics, and errors for comprehensive diagnostics.
- Access the side pane easily after running a query, or even from error messages in failure scenarios.
This transparency makes it far easier to investigate issues and optimize your hunting experience.
Improved error-handling for Advanced hunting queries (GA)
Advanced hunting now provides improved output messages, including clearer error messages that explain query failures and actionable suggestions for common issues. This update simplifies troubleshooting and helps reduce downtime with complex queries.
Simpler Navigation, More Powerful Hunting
Alongside these updates, the Advanced hunting UI has received several enhancements focused on usability and streamlined workflows. Users can now easily filter results with a single click, making data exploration more efficient and responsive and enhanced configuration of the schema tree now allows for collapsing or expanding all nodes with ease. Additionally, the page layout has been thoughtfully restructured, organizing components in a more intuitive manner for a modern, cohesive experience that makes advanced hunting both powerful and easy to use.
Rename tabs (GA)
Another notable usability enhancement is the ability for users to rename their working tabs within advanced hunting. This feature enables users to organize their work sessions more efficiently, allowing for clear identification of ongoing investigations and queries without requiring them to save their work as long-term functions or queries. By simply renaming tabs, users can quickly switch between tasks and keep their workspace well-structured, further improving workflow and productivity.
Saving KQL functions to log analytics workspace (GA)
In addition to the above enhancements, we are delighted to introduce the ability to save KQL functions directly from the advanced hunting page into your log analytics workspace. To utilize this feature:
- Pick a folder under shared functions → Sentinel workspace functions.
- Functions saved in this folder are available for use in workbooks, analytics rules, and for execution in advanced hunting.
- Note: functions saved here are not available in custom detection rules.
This new capability empowers you to build reusable logic and streamline your security workflows across Microsoft Sentinel and advanced hunting.
Conclusion
These enhancements represent our continued commitment to supporting your security investigations with robust, flexible, and efficient tools. We look forward to your feedback and to bringing even more improvements in the future. Learn more about the new advanced hunting enhancements in our documentation.
Microsoft