Learn how to set a default expiration method for indicators.
Indicators can have the Expiration Status field set to Active or Expired, which is determined by the Expiration field. When indicators expire, they still exist in Cortex XSIAM , meaning they are still displayed and you can still search for them. A job that runs every week checks for newly expired indicators and updates the Expiration Status field.
Note
If an indicator is marked for expiration, the status does not change to expired until the weekly job runs.
You can set the default expiration method for indicators either to never expire or to expire after a specific period of time. The default expiration method is set by the indicator type. For more information see Indicator Type Profile.
This is the hierarchy by which indicators are expired.
Method | Description |
|---|---|
Manual | A user manually expires the indicator or sets it to never expire. This method overrides all other methods. |
Automation script | Use the (Same in the indicator expiration hierarchy as manual.) Use the |
Feed integration | Some integrations support setting the expiration method on an integration instance level, which overrides the method defined for the indicator type. |
Indicator type | The expiration method (interval or never) is defined according to indicator type, which applies to all indicators of this type. This is the default expiration method for an indicator. |