Giters

MISP / misp-playbooks

MISP Playbooks

Home Page:https://misp.github.io/misp-playbooks/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Disable old indicators

cudeso opened this issue · comments

commented

The title of the playbook

Disable old indicators

Purpose of the playbook

This playbook uses input from the analysts (a matrix with defaults such as IPs: 30d, hashes:300d, URLs: 100d) and removes the to_ids flag from indicators older than the supplied value. Changed attributes are tagged and the events to which they belong is republished. A summary of the changes is included in the result of the playbook. This is a playbook similar to the decaying of indicators feature.

External resources used by this playbook

Mattermost (or Slack), TheHive (optional), DFIR-IRIS (optional)

Target audience

CTI

Breefly list the execution steps or workflow

No response