Forum Discussion
Solved
Advanced hunting API Limitations
The https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api#limitations state there is a max result limit of 100,000 rows. Is there also a limit on table_size that can be returned when querying via the advanced hunting API? If so, what is the limit?
For example, this query returns a generic '400 Bad Request' response:
atpQuery='DeviceEvents | limit 100000'
However, when limiting to a few columns (much smaller table size, same number of requested rows), I'm able to retrieve all 100K rows with:
atpQuery='DeviceEvents | project Timestamp, DeviceId, DeviceName | limit 100000'
For the successful query, the Stats returned are ["dataset_statistics"][{'table_row_count': 100000, 'table_size': 7734181}]
For the successful query, the Stats returned are ["dataset_statistics"][{'table_row_count': 100000, 'table_size': 7734181}]
For anyone that comes across this issue, the confirmed size limit on results returned by a hunting API query is 50MB.
1 Reply
For anyone that comes across this issue, the confirmed size limit on results returned by a hunting API query is 50MB.