SOLVED

Lookback range on threat intelligence in analytic rules

Contributor

Hi,

I have set up a MISP-server to send Threat Intelligence into sentinel.  I have set it up via this guide (https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/integrating-open-source-threat-feeds-...)
When sending the IoC's  I need to set a configuration-value for "days_to_expire". What impact does this have in Sentinel?

And another question (which might be related to the first?):
To my understanding, when making analytic rules in Sentinel, you can only lookup data from the last 14 days. If I feed 100k IoC's into sentinel today, what do i do in 14 days, when my analytic queries won't be able to query the IoC's anymore?

My wish is that I will be able to query my ingested IoC's in my analytic rules no matter when they were ingested.

2 Replies
best response confirmed by Larssen92 (Contributor)
Solution
1. Cost mainly - if above the default retention of 90days for Microsoft Sentinel
2. That is true for Scheduled rules which are limited to 14days. Perf is a strong reasons for this limit, so all Rules can run well. The workaround is either to do ad-hoc queries in the logs blade or….
Tiander did a great webcast here: https://youtu.be/G6TIzJK8XBA?t=3152 – watch it all :smiling_face_with_smiling_eyes:, but “14days use case” starts at 42min

Thank you for the answers. Very useful webcast aswell