SOLVED

Azure Sentinal - how to fetch large result set of Winsec events by pagination

%3CLINGO-SUB%20id%3D%22lingo-sub-2748409%22%20slang%3D%22en-US%22%3EAzure%20Sentinal%20-%20how%20to%20fetch%20large%20result%20set%20of%20Winsec%20events%20by%20pagination%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2748409%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Community%2C%3C%2FP%3E%3CP%3EWe%20pump%20the%20logs%20of%20Window%20security%20events%20of%20some%20computers%20into%20Azure%20Sentinel%20SIEM.%20Now%20we%20retrieve%20those%20logs%20from%20Sentinel%20to%20local%20database%20by%20using%20REST%20API.%20The%20problem%20is%20when%20the%20result%20set%20is%20large%2C%20the%20API%20return%20error%20message%20like%20%22Result%20size%20too%20large%22.%20So%20we%20want%20to%20implement%20pagination%20and%20fetch%20the%20data%20from%20SIEM%20then%20store%20it%20in%20local%20DB.%3C%2FP%3E%3CP%3EHowever%2C%20according%20to%20MS%20docs%2C%20Kql%20doesn't%20support%20%22Skip%22%20operator.%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20is%20there%20any%20ideas%20how%20to%20implement%20this%20pagination%20method%20to%20fetch%20the%20large%20result%20set%20from%20SIEM%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2748794%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinal%20-%20how%20to%20fetch%20large%20result%20set%20of%20Winsec%20events%20by%20pagination%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2748794%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1155278%22%20target%3D%22_blank%22%3E%40Peter_custodio%3C%2FA%3E%26nbsp%3BCan%20you%20limit%20the%20amount%20of%20data%20being%20returned%20by%20limiting%20the%20time%20range%20that%20you%20are%20looking%20at%3F%26nbsp%3B%20Granted%20it%20will%20take%20multiple%20calls%2C%20but%20it%20should%20work.%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi Community,

We pump the logs of Window security events of some computers into Azure Sentinel SIEM. Now we retrieve those logs from Sentinel to local database by using REST API. The problem is when the result set is large, the API return error message like "Result size too large". So we want to implement pagination and fetch the data from SIEM then store it in local DB.

However, according to MS docs, Kql doesn't support "Skip" operator. 

So are there any ideas how to implement this pagination method to fetch the large result set from SIEM?

3 Replies

@Peter_custodio Can you limit the amount of data being returned by limiting the time range that you are looking at?  Granted it will take multiple calls, but it should work.

@Gary Bushey 
Thanks for your suggestion. We want to fetch the data from Sentinel everyday by using Task scheduler job and insert into local DB then query it. 

So instead of calling multiple times in a day, is there any other ways to fetch large result set in one call?

 

best response confirmed by Peter_custodio (New Contributor)
Solution
Not that I can see. The Log Analytics query REST API doesn't appear to allow for limits and pages.