Forum Discussion

ts1120's avatar
ts1120
Copper Contributor
Jul 16, 2021

Historical IOC searches

Hello everybody, 

 

I'm interested to understand how others approach this and what is perhaps considered the best practice for performing historical searches for IOC hits against the log data within Sentinel. 

 

For example; if a request is received to interrogate the previous 6 months worth of retained log data against a large list of IOC IP addresses what method is best suited for this?

 

Currently I am creating KQL queries and running these against the appropriate tables, or all tables if this is required. However these queries time out and end after circa 10 minutes so this is not always practical for large investigations.

 

Additionally construction of the KQL queries for multiple IOC values is time consuming as you have to manually populate the query string with the relevant IOC and Sentinel KQL operator, using find and replace for example then pasting this back. Is there not a way like other SIEMs where you can create a list of IOCs (IP addresses or domains etc) and then reference that list within the KQL as not to have to manually construct the query on each occasion you perform your retrospective searches? 

 

Thanks in advance for your help and comments.

Resources