Forum Discussion
Query Defender XDR Timeline data without GUI
hi zlate81 Thre is a limitation of the Microsoft Defender XDR portal’s GUI (Timeline). By design, the web interface only lets you query a relatively short time window (a few days to ~30 days). If you need older data (weeks/months) without going through Sentinel, you’ll need to use programmatic options.
Here’s how you can query older Defender XDR data without relying on the GUI:
a.Use the Microsoft 365 Defender Advanced Hunting API
- Defender XDR stores data for up to 180 days (depending on your license: E5 or Defender XDR P2).
- The Advanced Hunting API lets you run KQL queries (similar to Sentinel) programmatically.
b.Use Power BI Connector
- Microsoft provides a Power BI Advanced Hunting connector that lets you pull weeks or months of Defender data into Power BI directly.
- This avoids the GUI limitations and supports long-term queries.
⚠️ Why Short Period ?
- The GUI Timeline is a lightweight investigative view, not a full data lake.
- Backend retention is much longer (30–180 days), but you need API / Advanced Hunting to unlock it.
To query Defender XDR data beyond 30 days without Sentinel, use Advanced Hunting via API (preferred), Power BI connector, or Graph Security API. Timeline in the GUI will always be limited.
Thank, i already have a powerbi set up towards the api. I did one test previously with the Mquery to AADSignInEventsBeta If I remember and I set |where Timestamp < ago(41d)
I then got now results.
On the following page under "Quotas and resource allocation" there say "Queries explore and return data from the past 30 days."
https://learn.microsoft.com/en-us/defender-xdr/api-advanced-hunting
Do you know if using the graph api endpoint will work as you say?
https://learn.microsoft.com/en-us/graph/api/security-security-runhuntingquery?view=graph-rest-1.0&tabs=httpBr,
Tommy
