Historical IOC searches

Visitor

Hello everybody, 

 

I'm interested to understand how others approach this and what is perhaps considered the best practice for performing historical searches for IOC hits against the log data within Sentinel. 

 

For example; if a request is received to interrogate the previous 6 months worth of retained log data against a large list of IOC IP addresses what method is best suited for this?

 

Currently I am creating KQL queries and running these against the appropriate tables, or all tables if this is required. However these queries time out and end after circa 10 minutes so this is not always practical for large investigations.

 

Additionally construction of the KQL queries for multiple IOC values is time consuming as you have to manually populate the query string with the relevant IOC and Sentinel KQL operator, using find and replace for example then pasting this back. Is there not a way like other SIEMs where you can create a list of IOCs (IP addresses or domains etc) and then reference that list within the KQL as not to have to manually construct the query on each occasion you perform your retrospective searches? 

 

Thanks in advance for your help and comments.

1 Reply
Generally if you need a list you have two main choices, creating the IP Addresses or IOC in a Watchlist (or on Azure Storage) or creating a dynamic list as part of the query

https://docs.microsoft.com/en-us/azure/sentinel/watchlists

KQL example of a dynamic list

let IPList = dynamic(["216.24.185.74", "107.175.189.159","194.88.106.146"]);
ThreatIntelligenceIndicator
| where NetworkSourceIP in (IPList)
| summarize count() by NetworkSourceIP

Having a timeout 'suggests' there is some optimisation we can do, do you use the summarize command? Also see https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/best-practices