Advanced hunting quotas and usage parameters

Important

The improved Microsoft 365 Defender portal is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 Defender portal. Learn what's new.

Applies to:

  • Microsoft 365 Defender

To keep the service performant and responsive, advanced hunting sets various quotas and usage parameters (also known as "service limits"). These quotas and parameters apply separately to queries run manually and to queries run using custom detection rules. Customers who run multiple queries regularly should be mindful of these limits and apply optimization best practices to minimize disruptions.

Refer to the following table to understand existing quotas and usage parameters.

Quota or parameter Size Refresh cycle Description
Data range 30 days Every query Each query can look up data from up to the past 30 days.
Result set 10,000 rows Every query Each query can return up to 10,000 records.
Timeout 10 minutes Every query Each query can run for up to 10 minutes. If it does not complete within 10 minutes, the service displays an error.
CPU resources Based on tenant size Every 15 minutes The portal displays an error whenever a query runs and the tenant has consumed over 10% of allocated resources. Queries are blocked if the tenant has reached 100% until after the next 15-minute cycle.

Note

A separate set of quotas and parameters apply to advanced hunting queries performed through the API. Read about advanced hunting APIs