Cortex XSIAM indicators have an active or expired status which can be set to expire after a specific period or never to expire. Set default expiration method.
Indicators can have the Expiration Status field set to Active or Expired, which is determined by the Expiration field. When indicators expire, they still exist in Cortex XSIAM, meaning they are still displayed and you can still search for them. A job that runs every hour checks for newly expired indicators and updates the Expiration Status field.
When indicators expire, the expiration status and expiration fields are updated. You can use it to take actions based on indicator expiration. For more information, see Indicator field trigger scripts.
You can set the default expiration method for indicators either to never expire or to expire after a specific period. The default expiration method is set by the indicator type. For more information see Indicator type profile.
The following table shows the hierarchy by which indicators are expired.
Method | Description |
---|---|
Manual | Manually expire the indicator either in the indicator layout or CLI. This method overrides all other methods. NoteYou need to run CLI commands in the Incident or Alert War Room. Use the Use the You can also use these commands in a script, but the user can override this if running a command in the CLI or the indicator layout. |
Feed integration | Some integrations support setting the expiration method on an integration instance level, which overrides the method defined for the indicator type. |
Indicator type | The expiration method (interval or never) is defined according to indicator type, which applies to all indicators of this type. This is the default expiration method for an indicator. |