Deleting Threat Intelligence Indicators

Copper Contributor

Is the expectation that the "ThreatIntelligence" table counts should change when you delete indicators from the GUI or API?


In my case I have been deleting thousands of old indicators via GUI/API, yet the total count and unique indicator count do not change in the ThreatIntelligence table for LAW supporting my Sentinel instance.


For background, I connected a TI source via one of the connectors without realizing the source vendor does not populate the "valid until" field.  As a result I have a ton of stale data causing false positive alerts for the analytic rules that leverage the TI table.  Without the "valid until" field Sentinel continually refreshes them indefinitely.  It would be nice if you could set a default valid time for indicators that do not specify one.

1 Reply

I figured it out, when you delete them a new entry is created for the indicator with the "Active" field as false.