Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature] Add Lookback time to Modules #479

Closed
NobleWolf opened this issue Jan 3, 2025 · 3 comments · Fixed by briandelmsft/STAT-Function#135 or #484
Closed

[Feature] Add Lookback time to Modules #479

NobleWolf opened this issue Jan 3, 2025 · 3 comments · Fixed by briandelmsft/STAT-Function#135 or #484
Labels
enhancement Enhancement to existing module module/aadrisks AAD Risks Module module/file File Module module/mde Microsoft Defender for Endpoint Module module/relatedalerts Related Alerts Module module/ueba User Entity Behavior Analytics Module

Comments

@NobleWolf
Copy link

Is your feature request related to a problem? Please describe.
The problem is that Analysts do not know the amount of time included in a data lookup. So, unless they check the STAT docs they do not know how much time (5 hours or 30 days) this enrichment includes data for. In our home-built integrations we include the lookback time at the bottom of every enrichment.

Describe the solution you'd like
It would be useful to have modules that do a data lookup to include a final line noting how far back the lookup went.

image

In this screenshot the last line should be something like "*Lookup includes most recent 5 days."

Describe alternatives you've considered
None.

Additional context
None
@NobleWolf NobleWolf added the pending-triage Submitted issue needing triage label Jan 3, 2025
@briandelmsft briandelmsft added module/aadrisks AAD Risks Module module/relatedalerts Related Alerts Module module/ueba User Entity Behavior Analytics Module module/mde Microsoft Defender for Endpoint Module module/file File Module labels Jan 3, 2025
@briandelmsft
Copy link
Owner

@NobleWolf thanks for the feedback. I think this makes a lot of sense for the majority of modules.

I don't think I'd want to do it for the KQL module as you have an option already to include a custom query description, and since the LookbackInDays could be influenced by filters in the KQL query I wouldn't want to just take the lookback in days and put that in the enrichment. Do you agree?

I also don't think there's anything to add for Modules like Watchlist and TI where we are always checking all the relevant data so the lookback period isn't really relevant.

@NobleWolf
Copy link
Author

NobleWolf commented Jan 3, 2025 via email

This was referenced Jan 6, 2025
Closed
Closed
Closed
Closed
Closed
@briandelmsft briandelmsft added enhancement Enhancement to existing module and removed pending-triage Submitted issue needing triage labels Jan 6, 2025
This was referenced Jan 10, 2025
Merged
Merged
@briandelmsft
Copy link
Owner

@NobleWolf if you upgrade to v2.1 using https://github.com/briandelmsft/SentinelAutomationModules/wiki/Updating this is in it. Only the function app part is required to get this, but other parts of v2.1 need permissions and connector upgrade which is documented in the link above

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement Enhancement to existing module module/aadrisks AAD Risks Module module/file File Module module/mde Microsoft Defender for Endpoint Module module/relatedalerts Related Alerts Module module/ueba User Entity Behavior Analytics Module
Projects
None yet
Milestone
No milestone
2 participants
@NobleWolf @briandelmsft