When are expired TI Indicators deleted from Sentinel web interface?

Joakim Loxdal 20 Reputation points
2023-03-29T12:56:45.06+00:00

Hi!

I am using the Graph API to push indicators to Sentinel.

If I push TI indicators with expiry date in one hour and then wait for 1 hour, the indicators will remain in the web interface of Sentinel (you can even see that they are expired in the 'Valid until' field)

Example, currently I have an indicator with this value in the Valid until field:

Valid until Wed, Mar 29, 2023, 1:51:03 PM GMT+2

While GMT+2 is right now 14:56 (02:56 PM), so that means it is expired.

Will the indicator be cleaned up, and in that case, when is it removed from the web interface of sentinel?

Thank you,

Joakim

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,881 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,004 questions
0 comments No comments
{count} votes

Accepted answer
  1. Andrew Blumhardt 9,591 Reputation points Microsoft Employee
    2023-03-29T15:14:19.9766667+00:00

    Expired indicators remain in the Sentinel TI table until the data retention limit is reached. The records are renewed at least daily until the expiration date is reached. After the records remain until the table retention limit is reached.

    I am not certain what criteria is used by the Indicators view to list or hide indicators.

    This sample query might help when working with this special table:

    ThreatIntelligenceIndicator

    | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()

    | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId

    | where Active == true

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful