Disable old indicators #30
Labels
needs triage
This issue has been automatically labelled and needs further triage
playbook:activity=4
Playbooks for activity 4
playbook:state=proposal
A 'proposal' for a new playbook
The title of the playbook
Disable old indicators
Purpose of the playbook
This playbook uses input from the analysts (a matrix with defaults such as IPs: 30d, hashes:300d, URLs: 100d) and removes the to_ids flag from indicators older than the supplied value. Changed attributes are tagged and the events to which they belong is republished. A summary of the changes is included in the result of the playbook. This is a playbook similar to the decaying of indicators feature.
External resources used by this playbook
Mattermost (or Slack), TheHive (optional), DFIR-IRIS (optional)
Target audience
CTI
Breefly list the execution steps or workflow
No response
The text was updated successfully, but these errors were encountered: