opencti icon indicating copy to clipboard operation
opencti copied to clipboard

Published 20 hours ago verified publisher icon OpenCTI-Platform

Handling Revoked or Expired Observables

Open annoyingapt opened this issue 2 years ago • 1 comments
trafficstars

Use case

Currently we are sharing observables. However, if an indicator is revoked or expired, this information is not pushed to an observable. Meaning we are sharing observables that should not be shared as they have been revoked.

Current Workaround

Have an external script query the indicators, then modify the observables.

Proposed Solution

Have a retention policy that allows us to delete observables if the indicator is revoked or expired.

annoyingapt avatar Mar 22 '23 08:03 annoyingapt

Do you want me to close this if it is marked as duplicate?

annoyingapt avatar Feb 23 '24 20:02 annoyingapt