Indicator Expiration

Cortex XSOAR indicators have an active or expired status which can be set to expire after a period of time or never to expire. Set default expiration method.
Indicators can have the Expiration Status field set to Active or Expired, which is determined by the
field. When indicators expire, they still exist in Cortex XSOAR, meaning they are still displayed and you can still search for them. A job that runs every hour checks for newly expired indicators and updates the
Expiration Status
You can set the default expiration method for indicators either to never expire, or to expire after a specific period of time. The default expiration method is set by the indicator type. For more information see Indicator Type Profile.
This is the hierarchy by which indicators are expired.
A user manually expires an indicator. This method overrides all other methods.
Automation script
Use the
command to change the expiration status to
for one or more indicators. This script accepts a comma-separated list of indicator values, and supports multiple indicator types. For example, an IP address, domain, and file hash:
!expireIndicators value=,,45356A9DB614ED7161A3B9192E2F318D0AB5AD10
(Same in the indicator expiration hierarchy as manual.)
Feed integration
The expiration method configured for an integration instance, which overrides the method defined for the indicator type.
Indicator type
The expiration method (interval or never) defined according to indicator type, which applies to all indicators of this type. This is the default expiration method for an indicator.

Recommended For You