SOLVED

Lookback range on threat intelligence in analytic rules

%3CLINGO-SUB%20id%3D%22lingo-sub-2942002%22%20slang%3D%22en-US%22%3ELookback%20range%20on%20threat%20intelligence%20in%20analytic%20rules%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2942002%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3CBR%20%2F%3E%3CBR%20%2F%3EI%20have%20set%20up%20a%20MISP-server%20to%20send%20Threat%20Intelligence%20into%20sentinel.%26nbsp%3B%20I%20have%20set%20it%20up%20via%20this%20guide%20(%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-sentinel-blog%2Fintegrating-open-source-threat-feeds-with-misp-and-sentinel%2Fba-p%2F1350371%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-sentinel-blog%2Fintegrating-open-source-threat-feeds-with-misp-and-sentinel%2Fba-p%2F1350371%3C%2FA%3E)%3CBR%20%2F%3EWhen%20sending%20the%20IoC's%26nbsp%3B%20I%20need%20to%20set%20a%20configuration-value%20for%20%22days_to_expire%22.%20What%20impact%20does%20this%20have%20in%20Sentinel%3F%3CBR%20%2F%3E%3CBR%20%2F%3EAnd%20another%20question%20(which%20might%20be%20related%20to%20the%20first%3F)%3A%3CBR%20%2F%3ETo%20my%20understanding%2C%20when%20making%20analytic%20rules%20in%20Sentinel%2C%20you%20can%20only%20lookup%20data%20from%20the%20last%2014%20days.%20If%20I%20feed%20100k%20IoC's%20into%20sentinel%20today%2C%20what%20do%20i%20do%20in%2014%20days%2C%20when%20my%20analytic%20queries%20won't%20be%20able%20to%20query%20the%20IoC's%20anymore%3F%3CBR%20%2F%3E%3CBR%20%2F%3EMy%20wish%20is%20that%20I%20will%20be%20able%20to%20query%20my%20ingested%20IoC's%20in%20my%20analytic%20rules%20no%20matter%20when%20they%20were%20ingested.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2943052%22%20slang%3D%22en-US%22%3ERe%3A%20Lookback%20range%20on%20threat%20intelligence%20in%20analytic%20rules%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2943052%22%20slang%3D%22en-US%22%3E1.%20Cost%20mainly%20-%20if%20above%20the%20default%20retention%20of%2090days%20for%20Microsoft%20Sentinel%3CBR%20%2F%3E2.%20That%20is%20true%20for%20Scheduled%20rules%20which%20are%20limited%20to%2014days.%20Perf%20is%20a%20strong%20reasons%20for%20this%20limit%2C%20so%20all%20Rules%20can%20run%20well.%20The%20workaround%20is%20either%20to%20do%20ad-hoc%20queries%20in%20the%20logs%20blade%20or%E2%80%A6.%3CBR%20%2F%3ETiander%20did%20a%20great%20webcast%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fyoutu.be%2FG6TIzJK8XBA%3Ft%3D3152%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fyoutu.be%2FG6TIzJK8XBA%3Ft%3D3152%3C%2FA%3E%20%E2%80%93%20watch%20it%20all%20%3Asmiling_face_with_smiling_eyes%3A%2C%20but%20%E2%80%9C14days%20use%20case%E2%80%9D%20starts%20at%2042min%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi,

I have set up a MISP-server to send Threat Intelligence into sentinel.  I have set it up via this guide (https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/integrating-open-source-threat-feeds-...)
When sending the IoC's  I need to set a configuration-value for "days_to_expire". What impact does this have in Sentinel?

And another question (which might be related to the first?):
To my understanding, when making analytic rules in Sentinel, you can only lookup data from the last 14 days. If I feed 100k IoC's into sentinel today, what do i do in 14 days, when my analytic queries won't be able to query the IoC's anymore?

My wish is that I will be able to query my ingested IoC's in my analytic rules no matter when they were ingested.

2 Replies
best response confirmed by Larssen92 (Occasional Contributor)
Solution
1. Cost mainly - if above the default retention of 90days for Microsoft Sentinel
2. That is true for Scheduled rules which are limited to 14days. Perf is a strong reasons for this limit, so all Rules can run well. The workaround is either to do ad-hoc queries in the logs blade or….
Tiander did a great webcast here: https://youtu.be/G6TIzJK8XBA?t=3152 – watch it all :smiling_face_with_smiling_eyes:, but “14days use case” starts at 42min

Thank you for the answers. Very useful webcast aswell