This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 73%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMV%3C/text%3E%3C/svg%3E)
Hi, i am ingesting data from https://api.security.microsoft.com/api/incidents in data factory. However there is a max page for incidents of 100 but I have 440,000 so it takes long time to go through every page of 100. So I was hoping to maybe run advancedhunting queries with KQL for incidents. But I actually have no knowledge.
Anybody would be able to advise how to write the query? I need quite a few columns in the results.
incidents API https://learn.microsoft.com/en-us/microsoft-365/security/defender/api-list-incidents?view=o365-worldwide
similar question https://learn.microsoft.com/en-us/answers/questions/1110157/sentinel-kql-is-there-an-easy-way-to-get-the-top-1
Thank you.
Have you discounted using the built-in Sentinel connector and bringing the data to Sentinel (there is a cost for the raw data, but no cost if its just the Alert/Incident you need) - then you can use KQL on the data. I assume you selected DF as you have some other data there as well, to use?
We connect to few apis via data factory, all data is then stored in SQL database. I can run KQL in data factory so through it may eliminate some of the apis' limitations in terms of max result size.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 27%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EV%3C/text%3E%3C/svg%3E)
To run advanced hunting queries with KQL (Kusto Query Language) for incidents in Microsoft Defender for Endpoint (MDE), you can utilize the Advanced Hunting feature. This allows you to construct powerful queries to retrieve the required data from the incidents.
Here's an example of a basic KQL query to retrieve incidents from MDE:
KQL
Incidents
| project IncidentId, Title, Description, Severity, CreatedTime, LastUpdateTime
| limit 100
This query fetches the IncidentId, Title, Description, Severity, CreatedTime, and LastUpdateTime columns for the first 100 incidents. You can modify the columns based on your specific requirements.
To retrieve all the incidents without the pagination limit, you can remove the limit clause. However, be cautious as querying a large number of incidents may impact performance. It's advisable to filter the data based on specific criteria using additional clauses such as where or summarize to reduce the result set.
For example, if you want to retrieve incidents only with a severity level of "High," you can modify the query as follows:
kql
Incidents
| where Severity == "High"
| project IncidentId, Title, Description, Severity, CreatedTime, LastUpdateTime
You can customize the query based on your specific needs, including filtering, sorting, and aggregating data. The Microsoft Learn documentation on the MDE API you mentioned provides additional examples and guidance for constructing advanced queries.
Remember to refer to the MDE API documentation for the available columns and their corresponding names to include in your query.
Hope this helps you get started with writing advanced hunting queries using KQL for incidents in MDE!
Oh that sounds great, so I can basically list the 'columns' I need. I presume I can add a filter for the last 24 hours too. Thank you