Indicators have an active or expired status which can
be set to expire after a period of time or never to expire.
Indicators can have the Expiration Status
field set to Active or Expired, which is determined by the
When indicators expire, they still exist in Cortex XSOAR, meaning
they are still displayed and you can still search for them. A job
that runs every hour checks for newly expired indicators and updates
You can set the default expiration method for indicators either
to never expire, or to expire after a specific period of time. The
default expiration method is set by the indicator type. For more
information see Indicator Type Profile.
This is the hierarchy by which indicators are expired.
A user manually expires an indicator. This
method overrides all other methods.
to change the expiration status to
one or more indicators. This script accepts a comma-separated list
of indicator values, and supports multiple indicator types. For
example, an IP address, domain, and file hash: