Expire an indicator - Administrator Guide - 8.5 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR On-prem Documentation

Product
Cortex XSOAR
Version
8.5
Creation date
2024-03-10
Last date published
2024-11-28
Category
Administrator Guide
Solution
On-prem
Abstract

Expire an indicator in the CLI or in the UI.

Indicators can have the Expiration Status field set to Active or Expired. When indicators expire, they still exist in Cortex XSOAR, meaning they are still displayed and you can still search for them. You may want to expire an indicator to filter out less relevant alerts, allowing analysts to focus on active threats. Expiring IoCs that are no longer relevant helps ensure that security systems remain focused on current threats.

You can set up expiration in the indicator type, integration feed, or in a script. For more information, see Configure indicator expiration. When you manually expire an indicator, this overrides indicator extraction rules set in scripts, indicator types, and feeds.

You can expire indicators using the following methods:

  • In the indicator layout by clicking Expire indicator.

    You need a TIM license to access the indicator layout.

  • Use the expireIndicators command to change the expiration status to Expired for one or more indicators. This command accepts a comma-separated list of indicator values and supports multiple indicator types. For example, you can set the expiration status for an IP address, domain, and file hash: !expireIndicators value=1.1.1.1,safeurl.com,45356A9DB614ED7161A3B9192E2F318D0AB5AD10.

  • Use the !setIndicator or for multiple indicators use the !setIndicators command to reset the indicators' expiration value. The value can also be set to Never, so that the indicators never expire. For example, !setIndicators indicatorsValues=watson.com expiration=Never.