Entities are not removed from the system, so, the easy answer is 'no'.


Depending on your usecase, there might be some ways you can still achieve something similar...





You could set some enrichment on the entity or use the context DB to store information about the entity, and use a sync job to periodically clean up. If you elaborate on your need I might be able to help a little

Hello
@Yair Stern
we have a feed of Threat Intelligence, which comes with an expiration date for a set of IOCs. So based on the expiration date we would like to delete these IOCs.

in our MISP instance, where we manage the IOCs, each IOC usually has a "first discovered" and a "last seen" timestamp, as well as a time-to-live.


Our alerting only fires for Indicators where "last seen" plus TTL < current time.

something like this should also be possible with entity attributes in Siemplify

So if an indicator came into the platform on 2022-10-01, and the TTL is 14 days, it will be "invalidated" on 2022-10-15, except if it has been "last seen" somewhen after 2022-10-01, which is then the new date to count the TTL against.

@Venkat_Rambatla
Not sure I completely understand.

What is the flow? You have your TI feed, how is it incorporated into Siemplify? Are you ingesting it as a list of alerts?

Do you want to remove enrichment from the IOCs once the feed is outdated?



Since the example Marek gave sounds similar to what you ask, maybe I can get more information there..


@Marek_Kreul
, if I understand correctly, you only ingest new instances of the IOC if it is within the TTL from the last seen of that indicator into Siemplify. You ask that entity attributes in Siemplify be removed if the last seen is older than TTL?





I think it should be noted that entity enrichment in alerts should reflect the information that was present during the alerts ingestion and investigation, and thus we keep it 'frozen' in time (and unchanged). If you guys refer to the entity explorer it makes much more sense. I believe you cannot simply remove entities from the explorer nor can you remove enrichments. However, it should be possible to override enrichment fields. So, a job cleaning out old IOCs' enrichment from the entity explorer is plausible.





Last thought... If you keep the TTL field in the enrichment, can't you use it to determined if the IOC is stale? Or are you concerned that analysts would miss that field and assume active IOC?

@Yair Stern
I personally don't have the same/similar problem, I was only trying to bring across how we're doing it (with MISP), and trying to provide ideas how it could be solved in siemplify using a similar approach.

@Yair Stern
Thanks for your reply, to answer your question, so basically the vendor provides all the malicious IOCs as ;art of the feed, so we are developing a connector which inserts lists of alerts which will contain the Entities(IOCs). But the feed also includes a set of IOCS which have an expiration date, which the vendor wants to be removed or make it outdated based on the expiration date.





Note: They have only feed, the vendor doesn't provide an enrichment for a particular IOC.





Please let me know if you have any questions

This comment was originally sent by Tom Fridman


Hi
@Venkat_Rambatla






I would recommend looking into a Threat Intel Platform, a common free one is MISP, the purpose of this is to handle the TTL of indicators as well as aggregate and normalize your incoming data (especially useful for multiple streams that may have duplicates or incomplete data). Siemplify can get close to your use case but it would not be perfect, as Yair mentioned, you can add an entity attribute of the date, and then when you have that entity in a case you can use an insight or widget to display the TTL date so that an analyst can tell when that entity was last updated/added.