Handle advanced hunting errors
Want to experience Microsoft Defender XDR? Learn more about how you can evaluate and pilot Microsoft Defender XDR.
- Microsoft Defender XDR
Advanced hunting displays errors to notify for syntax mistakes and whenever queries hit predefined quotas and usage parameters. Refer to the table below for tips on how to resolve or avoid errors.
|Error type||Cause||Resolution||Error message examples|
|Syntax errors||The query contains unrecognized names, including references to nonexistent operators, columns, functions, or tables.||Ensure references to Kusto operators and functions are correct. Check the schema for the correct advanced hunting columns, functions, and tables. Enclose variable strings in quotes so they are recognized. While writing your queries, use the autocomplete suggestions from IntelliSense.||
|Semantic errors||While the query uses valid operator, column, function, or table names, there are errors in its structure and resulting logic. In some cases, advanced hunting identifies the specific operator that caused the error.||Check for errors in the structure of query. Refer to Kusto documentation for guidance. While writing your queries, use the autocomplete suggestions from IntelliSense.||
|Timeouts||A query can only run within a limited period before timing out. This error can happen more frequently when running complex queries.||Optimize the query||
|CPU throttling||Queries in the same tenant have exceeded the CPU resources that have been allocated based on tenant size.||The service checks CPU resource usage every 15 minutes and daily and displays warnings after usage exceeds 10% of the allocated quota. If you reach 100% utilization, the service blocks queries until after the next daily or 15-minute cycle. Optimize your queries to avoid hitting CPU quotas||-
|Result size limit exceeded||The aggregate size of the result set for the query has exceeded the maximum size. This error can occur if the result set is so large that truncation at the 10,000-record limit can't reduce it to an acceptable size. Results that have multiple columns with sizable content are more likely to be impacted by this error.||Optimize the query||
|Excessive resource consumption||The query has consumed excessive amounts of resources and has been stopped from completing. In some cases, advanced hunting identifies the specific operator that wasn't optimized.||Optimize the query||-
|Unknown errors||The query failed because of an unknown reason.||Try running the query again. Contact Microsoft through the portal if queries continue to return unknown errors.||
- Advanced hunting best practices
- Quotas and usage parameters
- Understand the schema
- Kusto Query Language overview
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.