Azure Sentinel KQL Results Now Supports 30k Rows Returned

Prior to a change available today, the results window in the Logs Blade for Azure Sentinel (and any other Log Analytics capable service) was limited to 10,000 rows returned.

This capability has been enhanced so that the results limit has been bumped to 30,000 rows.

30k – yay!

Personally – and I hope you’ll agree with me (if not come talk to me) – as a security person you should never need this many results in the query return. As a security person, utilizing KQL and your security experience, your goal is to tune the query to show a limited, defined result. When Hunting, we’re looking for who did it, where they connected from, what resources they used and affected, etc. Our returns should be very specific.

If we have 30,000 actual who-did-its…we have a bigger issue than the number of results that are returned.

But, hey…you ask, we deliver.


[Want to discuss this further? Hit me up on Twitter or LinkedIn]