The Microsoft 365 Defender Advanced Hunting API is a gold mine for threat hunters. It allows you to query in KQL (Kusto Query Language) days, or even weeks, of security events recorded on a company's workstations and servers.
However, like any powerful tool, it comes with risks. For a managed service provider (MSSP) that automates its requests across multiple tenants (Tenants), poor handling of API calls can result in Microsoft temporarily blocking the service. It is here that theRate Limiting(rate limiting) becomes an essential security architecture.
The risk of unlimited API querying (Throttling)
Microsoft protects its cloud infrastructure by imposing strict quotas on Advanced Hunting requests via Microsoft Graph or the Defender API. These limits relate to both:
- Frequency:The number of requests sent per minute per tenant.
- Resources:The calculation time (CPU) and the size of the data returned.
What happens if a junior SOC analyst writes an unoptimized KQL query (for example, a full-text search without a date filter on the very large table?DeviceNetworkEvents) and runs it in a loop on 50 different clients?
Without a control mechanism, the Microsoft API will raise an HTTP 429 error ("Too Many Requests"). The client tenant will be temporarily blocked (Throttled). Legitimate threat hunting requests, and sometimes even some automated alerts, will be rejected, creating a critical blind spot in security monitoring.
The Akuity SOC approach: Protecting the client and the analyst
To provide a high-performance global, multi-tenant execution terminal without ever jeopardizing the integrity of your customers' Microsoft quotas, the Akuity SOC orchestrator integrates advanced query lifecycle management.
1. Integrated asynchronous rate limiting
Our platform doesn't just mindlessly relay the analyst's KQL query to Microsoft. The execution engine (backend) intercepts the command. It manages an intelligent queue (Queueing) and applies strict Rate Limiting which natively respects the quotas set by the publisher.
If several analysts launch intensive hunts simultaneously on the same tenant, Akuity smoothes the requests over time to avoid any spike effect which would trigger a block (HTTP 429).
2. Visual Feedback and Loading Screen
User experience (UX) is essential to prevent the analyst from frantically clicking the “Run” button thinking the system has crashed.
During asynchronous execution of the KQL query, the editing console displays a translucent loading screen. The operator knows that their request is taken into account, queued if necessary, and being processed by the Microsoft backend.
3. Environment isolation (PostgreSQL RLS)
Runtime security is not just about Microsoft quotas. We must ensure that an analyst cannot inject a KQL query on a tenant that does not belong to him.
Thanks to the mechanism ofRow-Level Security (RLS)integrated into our PostgreSQL database, the validation of the targeted Tenant's membership in the analyst's workspace is verified physically before the Microsoft API is even requested.
Optimize your KQL queries: Best practices
Even with the best Rate Limiting in the world, the quality of the KQL query remains essential. Here are some golden rules integrated into our “Quick Templates” to preserve your quotas:
- Always use a time filter (
TimeGenerated):Limit the search to the last 7 or 14 days. - Filter before formatting:Use the clause
whereas early as possible in your KQL script to reduce the volume of data before applying joins (join) or summaries (summarize). - Target specific tables:Don't look for a malicious domain in all tables blindly. Target
DeviceNetworkEventsfor network traffic andDeviceProcessEventsfor order lines.
Conclusion: Orchestration with complete peace of mind
Threat hunting automation is a necessity to scale, but it should not come at the expense of the stability of your clients' infrastructure. By embedding flow and queue control mechanisms, a modern SOC platform allows your teams to hunt threats with confidence.
Ready to deploy your queries without risk of blocking?> Discover how our consoleThreat Hunting Centralized KQL for MSSPnatively manages the velocity of your investigations.