SOLVED

KQL data limit

%3CLINGO-SUB%20id%3D%22lingo-sub-3065633%22%20slang%3D%22en-US%22%3EKQL%20data%20limit%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3065633%22%20slang%3D%22en-US%22%3E%3CP%3EAdios%20Defenders%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anyone%20know%20how%20to%20bypass%20the%20data%20limit%20of%2010000%20rows%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHave%20created%20a%20query.%20However%2C%20the%20results%20exceed%20the%20limit%20and%20max%20we%20see%20is%2010000%20entries%2C%20any%20suggestion%2C%20tricks%20!!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3065633%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMicrosoft%20Defender%20for%20Endpoint%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
New Contributor

Adios Defenders,

 

Does anyone know how to bypass the data limit of 10000 rows

 

4 Replies
You can use the api to get 100k rows? https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/run-advanced-query-api?vie... Typically you'd only use more than a few 100's of rows if you plan to export the data, to make it human readable (much less than 10k), try the summarize or where operators : https://docs.microsoft.com/en-gb/azure/data-explorer/kusto/query/summarizeoperator and https://docs.microsoft.com/en-gb/azure/data-explorer/kusto/query/whereoperator
best response confirmed by Phoenixstar (New Contributor)
Solution
As far as I am aware, the limit is fixed. The trick is to get your query down beneath the limit by imposing criteria in the most efficient order. You can view a shorter period of time, a more limited group of devices or simply remove data irrelevant to the threat you are hunting. I cannot be more specific as I typically work with EXO, but even then our tenancy is big enough to slam straight into the limits if I tried to eat everything.
Will implement this Thanks !!
This is the most updated AH API : https://docs.microsoft.com/en-us/microsoft-365/security/defender/api-advanced-hunting?view=o365-worl...

You can leverage it to get up to 100K records