Expire an indicator - Administrator Guide - Threat Intel Management Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Expire an indicator in the CLI or in the UI.

Indicators can have the Expiration Status field set to Active or Expired. When indicators expire, they still exist in Cortex XSIAM, meaning they are still displayed and you can still search for them. You may want to expire an indicator to filter out less relevant alerts, allowing analysts to focus on active threats. Expiring IoCs that are no longer relevant helps ensure that security systems remain focused on current threats.

You can set up expiration in the indicator type, integration feed, or in a script. For more information, see Configure indicator expiration. When you manually expire an indicator, this overrides indicator extraction rules set in scripts, indicator types, and feeds.

You can expire indicators using the following methods:

  • In the indicator layout by clicking Expire indicator.

  • Use the expireIndicators command to change the expiration status to Expired for one or more indicators. This command accepts a comma-separated list of indicator values and supports multiple indicator types. For example, you can set the expiration status for an IP address, domain, and file hash: !expireIndicators value=,safeurl.com,45356A9DB614ED7161A3B9192E2F318D0AB5AD10.

  • Use the !setIndicator or for multiple indicators use the !setIndicators command to reset the indicators' expiration value. The value can also be set to Never, so that the indicators never expire. For example, !setIndicators indicatorsValues=watson.com expiration=Never.


You need to run these commands in the Incident or Alert War Room.