Handle advanced hunting errors


Want to experience Microsoft Defender XDR? Learn more about how you can evaluate and pilot Microsoft Defender XDR.

Applies to:

  • Microsoft Defender XDR

Advanced hunting displays errors to notify for syntax mistakes and whenever queries hit predefined quotas and usage parameters. Refer to the table below for tips on how to resolve or avoid errors.

Error type Cause Resolution Error message examples
Syntax errors The query contains unrecognized names, including references to nonexistent operators, columns, functions, or tables. Ensure references to Kusto operators and functions are correct. Check the schema for the correct advanced hunting columns, functions, and tables. Enclose variable strings in quotes so they are recognized. While writing your queries, use the autocomplete suggestions from IntelliSense. A recognition error occurred.
Semantic errors While the query uses valid operator, column, function, or table names, there are errors in its structure and resulting logic. In some cases, advanced hunting identifies the specific operator that caused the error. Check for errors in the structure of query. Refer to Kusto documentation for guidance. While writing your queries, use the autocomplete suggestions from IntelliSense. 'project' operator: Failed to resolve scalar expression named 'x'
Timeouts A query can only run within a limited period before timing out. This error can happen more frequently when running complex queries. Optimize the query Query exceeded the timeout period.
CPU throttling Queries in the same tenant have exceeded the CPU resources that have been allocated based on tenant size. The service checks CPU resource usage every 15 minutes and daily and displays warnings after usage exceeds 10% of the allocated quota. If you reach 100% utilization, the service blocks queries until after the next daily or 15-minute cycle. Optimize your queries to avoid hitting CPU quotas - This query used X% of your organization's allocated resources for the current 15 minutes.
- You have exceeded processing resources allocated to this tenant. You can run queries again in <duration>.
Result size limit exceeded The aggregate size of the result set for the query has exceeded the maximum size. This error can occur if the result set is so large that truncation at the 10,000-record limit can't reduce it to an acceptable size. Results that have multiple columns with sizable content are more likely to be impacted by this error. Optimize the query Result size limit exceeded. Use "summarize" to aggregate results, "project" to drop uninteresting columns, or "take" to truncate results.
Excessive resource consumption The query has consumed excessive amounts of resources and has been stopped from completing. In some cases, advanced hunting identifies the specific operator that wasn't optimized. Optimize the query -Query stopped due to excessive resource consumption.
-Query stopped. Adjust use of the <operator name> operator to avoid excessive resource consumption.
Unknown errors The query failed because of an unknown reason. Try running the query again. Contact Microsoft through the portal if queries continue to return unknown errors. An unexpected error occurred during query execution. Please try again in a few minutes.


Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.