cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Lookback range on threat intelligence in analytic rules

Larssen92
Brass Contributor

‎Nov 09 2021 12:43 AM

‎Nov 09 2021 12:43 AM

Lookback range on threat intelligence in analytic rules

Hi,

I have set up a MISP-server to send Threat Intelligence into sentinel.  I have set it up via this guide (https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/integrating-open-source-threat-feeds-...)
When sending the IoC's  I need to set a configuration-value for "days_to_expire". What impact does this have in Sentinel?

And another question (which might be related to the first?):
To my understanding, when making analytic rules in Sentinel, you can only lookup data from the last 14 days. If I feed 100k IoC's into sentinel today, what do i do in 14 days, when my analytic queries won't be able to query the IoC's anymore?

My wish is that I will be able to query my ingested IoC's in my analytic rules no matter when they were ingested.

1,152 Views
1 Like
2 Replies
Reply
2 Replies
best response confirmed by Larssen92 (Brass Contributor)
Clive_Watson

‎Nov 09 2021 07:35 AM

‎Nov 09 2021 07:35 AM

Solution

Re: Lookback range on threat intelligence in analytic rules

1. Cost mainly - if above the default retention of 90days for Microsoft Sentinel
2. That is true for Scheduled rules which are limited to 14days. Perf is a strong reasons for this limit, so all Rules can run well. The workaround is either to do ad-hoc queries in the logs blade or….
Tiander did a great webcast here: https://youtu.be/G6TIzJK8XBA?t=3152 – watch it all :smiling_face_with_smiling_eyes:, but “14days use case” starts at 42min

0 Likes
Reply
Larssen92

‎Nov 09 2021 11:53 PM

‎Nov 09 2021 11:53 PM

Re: Lookback range on threat intelligence in analytic rules

Thank you for the answers. Very useful webcast aswell
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Larssen92 (Brass Contributor)
Clive_Watson

‎Nov 09 2021 07:35 AM

‎Nov 09 2021 07:35 AM

Solution

Re: Lookback range on threat intelligence in analytic rules

1. Cost mainly - if above the default retention of 90days for Microsoft Sentinel
2. That is true for Scheduled rules which are limited to 14days. Perf is a strong reasons for this limit, so all Rules can run well. The workaround is either to do ad-hoc queries in the logs blade or….
Tiander did a great webcast here: https://youtu.be/G6TIzJK8XBA?t=3152 – watch it all :smiling_face_with_smiling_eyes:, but “14days use case” starts at 42min

View solution in original post

0 Likes
Reply