cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Azure Sentinal - how to fetch large result set of Winsec events by pagination

Peter_custodio
New Contributor

‎Sep 14 2021 02:22 AM - edited ‎Sep 14 2021 02:22 AM

‎Sep 14 2021 02:22 AM - edited ‎Sep 14 2021 02:22 AM

Azure Sentinal - how to fetch large result set of Winsec events by pagination

Hi Community,

We pump the logs of Window security events of some computers into Azure Sentinel SIEM. Now we retrieve those logs from Sentinel to local database by using REST API. The problem is when the result set is large, the API return error message like "Result size too large". So we want to implement pagination and fetch the data from SIEM then store it in local DB.

However, according to MS docs, Kql doesn't support "Skip" operator. 

So are there any ideas how to implement this pagination method to fetch the large result set from SIEM?

345 Views
0 Likes
3 Replies
Reply
3 Replies
Gary Bushey

‎Sep 14 2021 04:40 AM

‎Sep 14 2021 04:40 AM

Re: Azure Sentinal - how to fetch large result set of Winsec events by pagination

@Peter_custodio Can you limit the amount of data being returned by limiting the time range that you are looking at?  Granted it will take multiple calls, but it should work.

0 Likes
Reply
Peter_custodio

‎Sep 16 2021 06:31 PM

‎Sep 16 2021 06:31 PM

Re: Azure Sentinal - how to fetch large result set of Winsec events by pagination

@Gary Bushey 
Thanks for your suggestion. We want to fetch the data from Sentinel everyday by using Task scheduler job and insert into local DB then query it. 

So instead of calling multiple times in a day, is there any other ways to fetch large result set in one call?

 

0 Likes
Reply
best response confirmed by Peter_custodio (New Contributor)
Gary Bushey

‎Sep 17 2021 03:58 AM

‎Sep 17 2021 03:58 AM

Solution

Re: Azure Sentinal - how to fetch large result set of Winsec events by pagination

Not that I can see. The Log Analytics query REST API doesn't appear to allow for limits and pages.
1 Like
Reply