Cortex XSOAR indicators have an active or expired status
which can be set to expire after a period of time or never to expire.
Set default expiration method.
Indicators can have the Expiration Status
field set to Active or Expired, which is determined by the
Expiration
field.
When indicators expire, they still exist in Cortex XSOAR, meaning
they are still displayed and you can still search for them. A job
that runs every hour checks for newly expired indicators and updates
the
Expiration Status
field.
When indicators expire, the expirationStatus and expiration fields
are updated. You can use an indicator field
trigger script to take actions based on indicator expiration.
You can set the default expiration method for indicators either
to never expire, or to expire after a specific period of time. The
default expiration method is set by the indicator type. For more
information see Indicator Type Profile.
This is the hierarchy by which indicators are expired.
Method
Description
Manual
A user manually expires the indicator or set
it to never expire. This method overrides all other methods.
Automation script
Use the
expireIndicators
command
to change the expiration status to
Expired
for
one or more indicators. This script accepts a comma-separated list
of indicator values, and supports multiple indicator types. For
example, an IP address, domain, and file hash:
The expiration method configured for an integration
instance, which overrides the method defined for the indicator type.
Indicator type
The expiration method (interval or never) defined
according to indicator type, which applies to all indicators of
this type. This is the default expiration method for an indicator.
