This playbook uses input from the analysts (a matrix with defaults such as IPs: 30d, hashes:300d, URLs: 100d) and removes the to_ids flag from indicators older than the supplied value. Changed attributes are tagged and the events to which they belong is republished. A summary of the changes is included in the result of the playbook. This is a playbook similar to the decaying of indicators feature.
The title of the playbook
Disable old indicators
Purpose of the playbook
This playbook uses input from the analysts (a matrix with defaults such as IPs: 30d, hashes:300d, URLs: 100d) and removes the to_ids flag from indicators older than the supplied value. Changed attributes are tagged and the events to which they belong is republished. A summary of the changes is included in the result of the playbook. This is a playbook similar to the decaying of indicators feature.
External resources used by this playbook
Mattermost (or Slack), TheHive (optional), DFIR-IRIS (optional)
Target audience
CTI
Breefly list the execution steps or workflow
No response