Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add option in mass import to mass retire IOCs #460

Open
PhilOrdo opened this issue Apr 21, 2023 · 1 comment
Open

Add option in mass import to mass retire IOCs #460

PhilOrdo opened this issue Apr 21, 2023 · 1 comment
Labels
enhancement threat-intel Issue originated from Threat Intel (TI) team

Comments

@PhilOrdo
Copy link
Contributor

PhilOrdo commented Apr 21, 2023

We can currently resurrect existing retired IOCs imported via https://threatkb.inquest.net/#!/import. This is a feature request to add an option to retire imported IOCs if they exist in ThreatKB and are in "Released" state.

  • Ability to quick filter for key timestamp fields on indicators (evaluate as "if (date_now) > the timestamp field"):
    • Expiration timestamps
    • Next review on timestamp

This applies to indicators (C2 IP, C2 domains).

@dspruell-i01 dspruell-i01 added the threat-intel Issue originated from Threat Intel (TI) team label May 31, 2023
@battleoverflow battleoverflow moved this to Backlog in ThreatKB Aug 1, 2023
@dspruell-i01
Copy link

@PhilOrdo We reviewed this a bit with @dcuellar322 and next steps that could move this ahead are to basically provide an input file, like what we'd use in this use case, and pass that over to David as an example of the workflow and for him to test with locally.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement threat-intel Issue originated from Threat Intel (TI) team
Projects
Status: Backlog
Development

No branches or pull requests

2 participants