Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Defender API limit

Copper Contributor

Hi All,

 

Using logic app i need to pull defender data and need to push it to sentinel work space.  but Defender API support only 10k rows per call and I am having nearly 20K result. is there is anyway to pull all the data using logic app,

 

thanks in advance

3 Replies
best response confirmed by Tomer Brand (Microsoft)
Solution
Hi @abensabu28,

10k rows per call is only in "Advanced Hunting" within the portal.

For the API's, these are the max rows per call:

"The results will include a maximum of 100,000 rows."

Reference:
Microsoft 365 Defender APIs license and terms of use
https://docs.microsoft.com/en-us/legal/microsoft-365/api-terms

"The results will include a maximum of 100,000 rows."

Advanced hunting API
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/run-advanced-query-api?vie...

Export software vulnerabilities assessment (JSON response)

"Maximum page size is 200,000."
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/get-assessment-software-vu...

If you still run into the limits, review:
Advanced hunting query best practices
https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-best-practices?vie...



A couple of options for you to consider:

Microsoft 365 Defender integration with Microsoft Sentinel
https://docs.microsoft.com/en-us/azure/sentinel/microsoft-365-defender-sentinel-integration

M365D Streaming API
https://docs.microsoft.com/en-us/microsoft-365/security/defender/streaming-api?view=o365-worldwide

MDE Raw Data Streaming API
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/raw-data-export?view=o365-...

Thanks,
Yong Rhee - MSFT

@Yong Rhee 

 

Actually what i am looking for is. to send the CVE data from defender to sentinel. current connector is not supporting the vulnerability data to sentinel. so what i planned is through API call run the query then push the data to sentinel.  but every time when i run the query i am getting the below error

"message""Query execution has exceeded the allowed result size. Optimize your query by limiting the amount of results and try again"

optimizing query didn't work because the table in defender doesn't support the time.

Do you have any solution for this 

Hello @abensabu28,
Please open a Microsoft CSS support ticket.
In parallel, submit "Give feedback" option within the M365D portal (security.microsoft.com).
Thanks,
Yong Rhee - MSFT
1 best response

Accepted Solutions
best response confirmed by Tomer Brand (Microsoft)
Solution
Hi @abensabu28,

10k rows per call is only in "Advanced Hunting" within the portal.

For the API's, these are the max rows per call:

"The results will include a maximum of 100,000 rows."

Reference:
Microsoft 365 Defender APIs license and terms of use
https://docs.microsoft.com/en-us/legal/microsoft-365/api-terms

"The results will include a maximum of 100,000 rows."

Advanced hunting API
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/run-advanced-query-api?vie...

Export software vulnerabilities assessment (JSON response)

"Maximum page size is 200,000."
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/get-assessment-software-vu...

If you still run into the limits, review:
Advanced hunting query best practices
https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-best-practices?vie...



A couple of options for you to consider:

Microsoft 365 Defender integration with Microsoft Sentinel
https://docs.microsoft.com/en-us/azure/sentinel/microsoft-365-defender-sentinel-integration

M365D Streaming API
https://docs.microsoft.com/en-us/microsoft-365/security/defender/streaming-api?view=o365-worldwide

MDE Raw Data Streaming API
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/raw-data-export?view=o365-...

Thanks,
Yong Rhee - MSFT

View solution in original post