opencti icon indicating copy to clipboard operation
opencti copied to clipboard

Published 20 hours ago verified publisher icon OpenCTI-Platform

Set a default 'Valid To' field for Observables/Indicators by Type

Open TechBurn0ut opened this issue 2 years ago • 0 comments

Use case

As an Analyst, I would like the ability to set default expiration/'Valid to' dates based on observable/indicator type. This should also extend into any relationships that are related to the observable/Indicator.

Also this would allow for more flexibility as observables such as IPs should/could have a shorter valid-time than domains.

This will help in properly filtering "Active" observables and relationships

Current Workaround

As far as I understand, there is no functionality like this in the platform. Current work around is write an external process to query the platform for a given observable, calculate the 'valid' timespan according to the observable type, update the objects' valid-to field.

Proposed Solution

If no valid-to value is provided, then calculate the time from the valid-from field and the defined time span for the observable type.

Additional Information

None

If the feature request is approved, would you be willing to submit a PR?

No

TechBurn0ut avatar Aug 25 '22 15:08 TechBurn0ut