Forum Discussion
Limit of exporting only 500 records is not helping
Hi Team,
We are trying to solve a problem where we would create a policy with conditions, it displays the data but does not allow exporting all the data/logs. It throws a error saying 'Export limit reached' - Export is limited to the first 5000 records.
Cloud app security could have been helpful for us if it allowed us to export all the logs. This limitation is not helping us.
Can MS help leveraging Cloud app security scripting module or something to export all the logs matching the filters we have?
Thanks
Krishna
3 Replies
- you could use the MDA REST API as detailed at: https://docs.microsoft.com/en-us/defender-cloud-apps/api-activities
- Hello Krishna, were you able to find a solution? Currently I'm also investigating an incident using CloudApps Activity log and there is still a export limit of 5000 items.
I do know that there is some way with Advanced Hunting using KQL Queries to get a view of all the events.
https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-cloudappevents-table?view=o365-worldwide#apps-and-services-covered
I'm totally new with KQL and still trying to find the correct query to see the total amount of activity logs.
