Oct 09 2020 09:19 AM
Hi,
Can you control/set the data retention for different tables? Thinking we need to control ThreatIntelligenceIndicator and be able to reduce/increase at regular intervals.
Regards,
Tim
Oct 09 2020 09:34 AM
Oct 09 2020 11:26 AM
Oct 09 2020 12:13 PM
Your TI analytic rules ignore duplicate and expired entries. You could just add new indicators knowing the old will be groomed when expired and will not impact new entries. I would just add new.
You could manually delete entries using the new Threat Intelligence view if you don't have a large number to remove.
For larger tables there is a purge option: ttps://docs.microsoft.com/en-us/rest/api/loganalytics/workspacepurge/purge