Configure indicator expiration - Cortex XSOAR indicators have an active or expired status which can be set to expire after a specific period or never to expire. Set default expiration method. - Threat Intel Management Guide - Administrator Guide - 8 - Cortex XSOAR - Cortex

Configure indicator expiration - Cortex XSOAR indicators have an active or expired status which can be set to expire after a specific period or never to expire. Set default expiration method. - Threat Intel Management Guide - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Cloud Documentation

Product

Cortex XSOAR

Version

Creation date

2024-03-07

Last date published

2025-05-22

Method	Description
Manual	Manually expire the indicator either in the indicator layout or CLI. This method overrides all other methods. Note You need a TIM license to access the indicator layout. Use the `expireIndicators` command to change the expiration status to Expired for one or more indicators. This command accepts a comma-separated list of indicator values and supports multiple indicator types. For example, you can set the expiration status for an IP address, domain, and file hash: `!expireIndicators value=1.1.1.1,safeurl.com,45356A9DB614ED7161A3B9192E2F318D0AB5AD10` Use the `!setIndicators` command to reset the indicators' expiration value. The parameter's value can either be `never` or a time in ISO 8601 format. For example, `2006-01-02T15:04:05Z` (for UTC time) or `2006-01-02T15:04:05Z07:00` (UTC +7 hours). Examples: `!setIndicators indicatorsValues=watson.com expiration=Never` `!setIndicators indicatorsValues=watson.com expiration=2006-01-02T15:04:05Z` You can also use these commands in a script, but the user can override this if running a command in the CLI or the indicator layout.
Feed integration	Some integrations support setting the expiration method on an integration instance level, which overrides the method defined for the indicator type. Note If a feed's expiration method is set to When removed from the feed, indicators that are removed from the feed immediately expire. Note that if the feed is disabled, its expiration method reverts to that of the indicator type (time-based). Time-based expiration is set according to feed reliability. If the same indicator appears on multiple feeds, the feed with the highest reliability determines the indicator's expiration time. If multiple feeds have the same reliability, the last feed to add or modify the indicator determines its expiration time. Example: An indicator was initially fetched by Feed A, then by Feed B. Both feeds have the same reliability. Feed B's indicators are set to expire When removed from the feed. Feed B is now disabled. After Feed B is disabled, the indicator's expiration method reverts to that of the indicator type (for example, expire after 7 days). However, if Feed A then modifies the indicator (or removes and re-adds it), the expiration method changes back to Feed A's settings.
Indicator type	The expiration method (interval or never) is defined according to indicator type, which applies to all indicators of this type. This is the default expiration method for an indicator.

Note

You need a TIM license to access the indicator layout.

Use the expireIndicators command to change the expiration status to Expired for one or more indicators. This command accepts a comma-separated list of indicator values and supports multiple indicator types. For example, you can set the expiration status for an IP address, domain, and file hash: !expireIndicators value=1.1.1.1,safeurl.com,45356A9DB614ED7161A3B9192E2F318D0AB5AD10

Use the !setIndicators command to reset the indicators' expiration value. The parameter's value can either be never or a time in ISO 8601 format. For example, 2006-01-02T15:04:05Z (for UTC time) or 2006-01-02T15:04:05Z07:00 (UTC +7 hours).

Examples:

!setIndicators indicatorsValues=watson.com expiration=Never
!setIndicators indicatorsValues=watson.com expiration=2006-01-02T15:04:05Z

You can also use these commands in a script, but the user can override this if running a command in the CLI or the indicator layout.

Feed integration

Some integrations support setting the expiration method on an integration instance level, which overrides the method defined for the indicator type.

Note

If a feed's expiration method is set to When removed from the feed, indicators that are removed from the feed immediately expire. Note that if the feed is disabled, its expiration method reverts to that of the indicator type (time-based).

Time-based expiration is set according to feed reliability. If the same indicator appears on multiple feeds, the feed with the highest reliability determines the indicator's expiration time. If multiple feeds have the same reliability, the last feed to add or modify the indicator determines its expiration time.

Example:

An indicator was initially fetched by Feed A, then by Feed B.
Both feeds have the same reliability.
Feed B's indicators are set to expire When removed from the feed.
Feed B is now disabled.

After Feed B is disabled, the indicator's expiration method reverts to that of the indicator type (for example, expire after 7 days). However, if Feed A then modifies the indicator (or removes and re-adds it), the expiration method changes back to Feed A's settings.

Indicator type

The expiration method (interval or never) is defined according to indicator type, which applies to all indicators of this type. This is the default expiration method for an indicator.