Forum Discussion
Solved
Lookback range on threat intelligence in analytic rules
Hi,
I have set up a MISP-server to send Threat Intelligence into sentinel. I have set it up via this guide (https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/integrating-open-source-threat-feeds-with-misp-and-sentinel/ba-p/1350371)
When sending the IoC's I need to set a configuration-value for "days_to_expire". What impact does this have in Sentinel?
And another question (which might be related to the first?):
To my understanding, when making analytic rules in Sentinel, you can only lookup data from the last 14 days. If I feed 100k IoC's into sentinel today, what do i do in 14 days, when my analytic queries won't be able to query the IoC's anymore?
My wish is that I will be able to query my ingested IoC's in my analytic rules no matter when they were ingested.
- 1. Cost mainly - if above the default retention of 90days for Microsoft Sentinel
2. That is true for Scheduled rules which are limited to 14days. Perf is a strong reasons for this limit, so all Rules can run well. The workaround is either to do ad-hoc queries in the logs blade or….
Tiander did a great webcast here: https://youtu.be/G6TIzJK8XBA?t=3152 – watch it all 😊, but “14days use case” starts at 42min
- 1. Cost mainly - if above the default retention of 90days for Microsoft Sentinel
2. That is true for Scheduled rules which are limited to 14days. Perf is a strong reasons for this limit, so all Rules can run well. The workaround is either to do ad-hoc queries in the logs blade or….
Tiander did a great webcast here: https://youtu.be/G6TIzJK8XBA?t=3152 – watch it all 😊, but “14days use case” starts at 42min- Thank you for the answers. Very useful webcast aswell
