Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
989 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
This is an interesting problem. Your TAXII provider is not setting an expiration date.
This table automatically purges expired records. The retention setting are ignored and these records will be retained forever without an expiration. As you know these are only valid for so long. There is no easy way to update these records in mass.
I recommend exporting the table into CSV. Use the purge API to dump the table. Then bulk import the records again with a newly set expiration date. Though this problem will persist if the feed is not improved.
https://learn.microsoft.com/en-us/rest/api/loganalytics/workspace-purge/purge?tabs=HTTP