From 4fa6023ea8655ac0ab60724e403b3e8e28d55753 Mon Sep 17 00:00:00 2001 From: Paul Oliveria Date: Fri, 19 Dec 2025 09:22:56 +0530 Subject: [PATCH] Update security API overview with query size limit Added a new point about query result size limit. --- api-reference/v1.0/resources/security-api-overview.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/api-reference/v1.0/resources/security-api-overview.md b/api-reference/v1.0/resources/security-api-overview.md index b88e12b360b..3f9d958880b 100644 --- a/api-reference/v1.0/resources/security-api-overview.md +++ b/api-reference/v1.0/resources/security-api-overview.md @@ -37,7 +37,8 @@ The following conditions relate to all queries. 3. You can make up to at least 45 calls per minute per tenant. The number of calls varies per tenant based on its size. 4. Each tenant is allocated CPU resources, based on the tenant size. Queries are blocked if the tenant reaches 100% of the allocated resources until after the next 15-minute cycle. To avoid blocked queries due to excess consumption, follow the guidance in [Optimize your queries to avoid hitting CPU quotas](/microsoft-365/security/defender/advanced-hunting-best-practices). 5. If a single request runs for more than three minutes, it times out and returns an error. -6. A `429` HTTP response code indicates that you reached the allocated CPU resources, either by the number of requests sent or by allotted running time. Read the response body to understand the limit you reached. +6. A `429` HTTP response code indicates that you reached the allocated CPU resources, either by the number of requests sent or by allotted running time. Read the response body to understand the limit you reached. +7. Query results have an overall size limit of 50 MB. This limit doesn't just refer to the number of records; factors such as the number of columns, data types, and field lengths also contribute to the query result size. ## Alerts Alerts are detailed warnings about suspicious activities in a customer's tenant that Microsoft or partner security providers identified and flagged for action. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result is alerts from multiple security providers for multiple entities in the tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming.