ThreatKB icon indicating copy to clipboard operation
ThreatKB copied to clipboard
verified publisher icon InQuest

Add option in mass import to mass retire IOCs

Open PhilOrdo opened this issue 2 years ago • 1 comments

We can currently resurrect existing retired IOCs imported via https://threatkb.inquest.net/#!/import. This is a feature request to add an option to retire imported IOCs if they exist in ThreatKB and are in "Released" state.

  • Ability to quick filter for key timestamp fields on indicators (evaluate as "if (date_now) > the timestamp field"):
    • Expiration timestamps
    • Next review on timestamp

This applies to indicators (C2 IP, C2 domains).

PhilOrdo avatar Apr 21 '23 18:04 PhilOrdo

@PhilOrdo We reviewed this a bit with @dcuellar322 and next steps that could move this ahead are to basically provide an input file, like what we'd use in this use case, and pass that over to David as an example of the workflow and for him to test with locally.

dspruell-i01 avatar Mar 07 '24 17:03 dspruell-i01