We are looking on aging out indicators from our IDR threat feed and our TIP. IDR documentation shows that there is a replace model in the API but does that remove the IOC if the TIP aged it out?
If you are talking about this API endpoint:
then the answer is yes, this will remove IoC’s that used to be in the threat but are not included in the new data.
Thanks for the response. I was looking at a way just to find and replace indicators one by one since the entire feed may not meet the aging criteria.
I’m afraid that at this time, you can only add new IoC’s or replace them all. However, if the feed you are using only contains the active IoC’s then you can use the replace endpoint to effectively remove the aged ones.
I know there are some plans afoot to increase the capabilities here and will be sure to let you know if removing individual IoC’s via the API is going to be possible.