TimeGenerated

[UPVZ2]

Hello, I have a question: Rules in Sentinel cannot query data older than 14 days. So if my IOC was integrated 15 days ago (it has a TimeGenerated that has more than 15 days) then my rules will not be able to use it. Is there a parameter in the script or a way to handle this problem?

[cudeso]

Hello, The best way to approach this is

• Set the expiration date of the indicators days_to_expire to 14 days
• Set the request to query indicators in MISP to take into account older indicators (in misp_event_filters, set publish_timestamp to for example 60 days). If I'm not mistaken, the indicators will "expire" in Sentinel after 14 days, but the import will "refresh" them because it's loading the older indicators. Let me know if this works for you.

[UPVZ2]

Hello, I initialize the "days_to_expire" to 2 days. However my indicator "Valid until" in sentinel remains at "Day +50" as if it did not take into account the parameter "day_to_expire"

[cudeso]

Is this the case for already/previously synchronised indicators or only for new indicators?

[cudeso]

Closing pending feedback