Nov 09 2021 12:43 AM
Hi,
I have set up a MISP-server to send Threat Intelligence into sentinel. I have set it up via this guide (https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/integrating-open-source-threat-feeds-...)
When sending the IoC's I need to set a configuration-value for "days_to_expire". What impact does this have in Sentinel?
And another question (which might be related to the first?):
To my understanding, when making analytic rules in Sentinel, you can only lookup data from the last 14 days. If I feed 100k IoC's into sentinel today, what do i do in 14 days, when my analytic queries won't be able to query the IoC's anymore?
My wish is that I will be able to query my ingested IoC's in my analytic rules no matter when they were ingested.
Nov 09 2021 07:35 AM
SolutionNov 09 2021 11:53 PM
Nov 09 2021 07:35 AM
Solution