Indicator Expiration
Default ThreatQ Role: Administrative, Maintenance, or Primary Contributor
Custom Role - Action Permissions: Objects & Context - Individual Object Context & Actions - Expiration Date
Expiration ("Expired") is a status that can be assigned to an indicator. The expired status should be used when an indicator is deemed by an analyst to pose less of a threat to their infrastructure than other indicators.
See the Indicator Expiration Policies topic for more information on setting up automatic expiration policies for indicators.
Ways an Indicator can Expire
- An analyst manually changes an indicator(s) status to "Expired"
This can be achieved by visiting an individual indicator's details page, then using the Status dropdown in the top right hand corner of the page to change the status.
If the analyst wishes to change the status of multiple indicators at the same time, they can use the advanced search tool to find the indicators they'd like to update, then click the Bulk Update button found directly to the right above the search results.
- An analyst manually sets an expiration date for a specific indicator
Each indicator has the option to have an expiration date set, which once past, will toggle the status of that indicator from it's current status to "Expired".
- An expiration policy has been applied to the source reporting an indicator and therefore an expiration date is automatically set for that indicator during ingestion
Using the “Expiration” tab on the Indicator Management page, a ThreatQ admin has the ability to apply expiration policies to all ingested information, both new and existing, coming from a specific intelligence source. See the Indicator Expiration Policies topic for more details.
Changing the Expiration Date for an Individual Indicator
When viewing a specific indicator, its expiration date can be changed by clicking on the link next to the expiration information.
Options include:
| Option | Description |
|---|---|
| Add 7 Days | This will extend the current expiration date by 7 days. |
| Add 14 Days | This will extend the current expiration date by 14 days. |
| Protect from Auto-Expiration | This will set the indicator to "Never Expire". Once set, this indicator will be exempt from all automated expiration processes regardless of circumstances. The only way for this indicator to expire moving forward is by analyst choice. |
| Remove Current Expiration Date | This will remove the currently set expiration date. If this indicator is reported by an intelligence feed (with an expiration policy) in the future, a new expiration date will be added at that point in time. |
Changing the Expiration Date for Multiple Indicators
You can apply expiration changes for a set of indicators using the Bulk Action function. See the Bulk Actions topic for further details.