Add option in mass import to mass retire IOCs

InQuest / ThreatKB

Knowledge base workflow management for YARA rules and C2 artifacts (IP, DNS, SSL) (ALPHA STATE AT THE MOMENT)

GNU General Public License v2.0

94 stars 18 forks source link

Add option in mass import to mass retire IOCs #460

Open PhilOrdo opened 1 year ago

PhilOrdo commented 1 year ago

We can currently resurrect existing retired IOCs imported via https://threatkb.inquest.net/#!/import. This is a feature request to add an option to retire imported IOCs if they exist in ThreatKB and are in "Released" state.

Ability to quick filter for key timestamp fields on indicators (evaluate as "if (date_now) > the timestamp field"):
- Expiration timestamps
- Next review on timestamp

This applies to indicators (C2 IP, C2 domains).

dspruell-i01 commented 6 months ago

@PhilOrdo We reviewed this a bit with @dcuellar322 and next steps that could move this ahead are to basically provide an input file, like what we'd use in this use case, and pass that over to David as an example of the workflow and for him to test with locally.