The article deals with the problem of updating indicators of compromise in the field of information security. One of the key difficulties is the growing number of false positives, which slows down the process of incident investigation. To solve this problem, we propose a model for assessing the relevance of indicators of compromise, the purpose of which is to optimise their use. The developed model takes into account various parameters, such as the indicator obsolescence rate, the level of trust in the source, the frequency of detection, the proportion of false positives, the consideration of information from open sources, and the type of malicious activity. The model reduces the number of false positives and improves the efficiency of incident monitoring.