Hi Community,
We pump the logs of Window security events of some computers into Azure Sentinel SIEM. Now we retrieve those logs from Sentinel to local database by using REST API. The problem is when the result set is large, the API return error message like "Result size too large". So we want to implement pagination and fetch the data from SIEM then store it in local DB.
However, according to MS docs, Kql doesn't support "Skip" operator.
We can call API multiple times by fetching 1 hr data which may be less than the limited result size but we would like to fetch many window security Event IDs in one call if possible.
So are there any ideas how to implement this pagination method to fetch the large result set from SIEM without multiple API calls?
Thanks in advance.