Skip to content

Expiration Rules

Indicators don’t stay valid forever. For most of them, they have a defined validity period.

When creating/adding an Indicator to a Content Proposal, analysts have to provide a valid_from (required) and valid_until (optional) date which is the time from which this Indicator is considered a valid indicator of the behaviors it is related to or represents.

This is when Expiration Rules come to play. They have been designed to set default validity periods for Indicators depending on the type of observable they related to.

Default Expiration Rules

By default, these validity periods are:

Observable type Time to live
URL 6 months
IPv4 1 month
IPv6 1 month
Domain name 6 months
Others 6 months
File (hash) 5 years


When importing an IP address into a Content Proposal, if you don't change the fields corresponding to the validity date, it will be automatically set to 1 month in the CTI database.