Expire an indicator in the CLI or in the UI.
Indicators can have the Expiration Status field set to Active or Expired. When indicators expire, they still exist in Cortex XSOAR, meaning they are still displayed and you can still search for them. You may want to expire an indicator to filter out less relevant alerts, allowing analysts to focus on active threats. Expiring IoCs that are no longer relevant helps ensure that security systems remain focused on current threats.
You can set up expiration in the indicator type, integration feed, or in a script. For more information, see Configure indicator expiration. When you manually expire an indicator, this overrides indicator extraction rules set in scripts, indicator types, and feeds.
You can expire indicators using the following methods:
In the indicator layout by clicking Expire indicator.
You need a TIM license to access the indicator layout.
Use the
expireIndicators
command to change the expiration status to Expired for one or more indicators. This command accepts a comma-separated list of indicator values and supports multiple indicator types. For example, you can set the expiration status for an IP address, domain, and file hash:!expireIndicators value=1.1.1.1,safeurl.com,45356A9DB614ED7161A3B9192E2F318D0AB5AD10
.Use the
!setIndicator
or for multiple indicators use the!setIndicators
command to reset the indicators' expiration value. The value can also be set toNever
, so that the indicators never expire. For example,!setIndicators indicatorsValues=watson.com expiration=Never
.