Forum Discussion
Phoenixstar
Jan 19, 2022Copper Contributor
KQL data limit
Adios Defenders,
Does anyone know how to bypass the data limit of 10000 rows
- As far as I am aware, the limit is fixed. The trick is to get your query down beneath the limit by imposing criteria in the most efficient order. You can view a shorter period of time, a more limited group of devices or simply remove data irrelevant to the threat you are hunting. I cannot be more specific as I typically work with EXO, but even then our tenancy is big enough to slam straight into the limits if I tried to eat everything.
- Clive_WatsonBronze ContributorYou can use the api to get 100k rows? https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/run-advanced-query-api?view=o365-worldwide Typically you'd only use more than a few 100's of rows if you plan to export the data, to make it human readable (much less than 10k), try the summarize or where operators : https://docs.microsoft.com/en-gb/azure/data-explorer/kusto/query/summarizeoperator and https://docs.microsoft.com/en-gb/azure/data-explorer/kusto/query/whereoperator
- PhoenixstarCopper ContributorWill implement this Thanks !!
- Tali AshMicrosoftThis is the most updated AH API : https://docs.microsoft.com/en-us/microsoft-365/security/defender/api-advanced-hunting?view=o365-worldwide
You can leverage it to get up to 100K records
- ExMSW4319Iron ContributorAs far as I am aware, the limit is fixed. The trick is to get your query down beneath the limit by imposing criteria in the most efficient order. You can view a shorter period of time, a more limited group of devices or simply remove data irrelevant to the threat you are hunting. I cannot be more specific as I typically work with EXO, but even then our tenancy is big enough to slam straight into the limits if I tried to eat everything.