diff --git a/rules/okta_rules/okta_geo_improbable_access.py b/rules/okta_rules/okta_geo_improbable_access.py
index 31d99a6c7..712c5cf1e 100644
--- a/rules/okta_rules/okta_geo_improbable_access.py
+++ b/rules/okta_rules/okta_geo_improbable_access.py
@@ -6,7 +6,6 @@
 from panther_detection_helpers.caching import (
     get_string_set,
     put_string_set,
-    set_key_expiration,
 )
 
 PANTHER_TIME_FORMAT = "%Y-%m-%d %H:%M:%S.%f"
@@ -98,9 +97,8 @@ def store_login_info(key, event):
                 }
             )
         ],
+        epoch_seconds=event.event_time_epoch() + timedelta(days=7).total_seconds(),
     )
-    # Expire the entry after a week so the table doesn't fill up with past users
-    set_key_expiration(key, int((datetime.now() + timedelta(days=7)).timestamp()))
 
 
 def title(event):
diff --git a/rules/onelogin_rules/onelogin_active_login_activity.py b/rules/onelogin_rules/onelogin_active_login_activity.py
index bb0d2e10b..994f7c759 100644
--- a/rules/onelogin_rules/onelogin_active_login_activity.py
+++ b/rules/onelogin_rules/onelogin_active_login_activity.py
@@ -1,15 +1,14 @@
-import time
+from datetime import timedelta
 
 from panther_base_helpers import is_ip_in_network
 from panther_detection_helpers.caching import (
     add_to_string_set,
     get_string_set,
     put_string_set,
-    set_key_expiration,
 )
 
 THRESH = 2
-THRESH_TTL = 43200  # 1/2 day
+THRESH_TTL = timedelta(hours=12).total_seconds()
 
 # Safelist for IP Subnets to ignore in this ruleset
 # Each entry in the list should be in CIDR notation
@@ -41,13 +40,13 @@ def rule(event):
     user_id = str(event.get("user_id"))
     if not user_ids:
         # store this as the first user login from this ip address
-        put_string_set(event_key, [user_id])
-        set_key_expiration(event_key, int(time.time()) + THRESH_TTL)
+        put_string_set(event_key, [user_id], epoch_seconds=event.event_time_epoch() + THRESH_TTL)
         return False
     # add a new username if this is a unique user from this ip address
     if user_id not in user_ids:
-        user_ids = add_to_string_set(event_key, user_id)
-        set_key_expiration(event_key, int(time.time()) + THRESH_TTL)
+        user_ids = add_to_string_set(
+            event_key, user_id, epoch_seconds=event.event_time_epoch() + THRESH_TTL
+        )
     return len(user_ids) > THRESH
 
 
diff --git a/rules/onelogin_rules/onelogin_high_risk_login.py b/rules/onelogin_rules/onelogin_high_risk_login.py
index 196da6181..6a2142c5a 100644
--- a/rules/onelogin_rules/onelogin_high_risk_login.py
+++ b/rules/onelogin_rules/onelogin_high_risk_login.py
@@ -1,13 +1,12 @@
-import time
+from datetime import timedelta
 
 from panther_detection_helpers.caching import (
     get_counter,
     increment_counter,
     reset_counter,
-    set_key_expiration,
 )
 
-THRESH_TTL = 600
+THRESH_TTL = timedelta(minutes=10).total_seconds()
 
 
 def rule(event):
@@ -21,8 +20,7 @@ def rule(event):
         # a failed authentication attempt with high risk score
         if str(event.get("event_type_id")) == "6":
             # update a counter for this user's failed login attempts with a high risk score
-            increment_counter(event_key)
-            set_key_expiration(event_key, int(time.time()) + THRESH_TTL)
+            increment_counter(event_key, event.event_time_epoch() + THRESH_TTL)
 
     # Trigger alert if this user recently
     # failed a high risk login
diff --git a/rules/slack_rules/slack_application_dos.py b/rules/slack_rules/slack_application_dos.py
index bb8fd1527..eb7e0d68d 100644
--- a/rules/slack_rules/slack_application_dos.py
+++ b/rules/slack_rules/slack_application_dos.py
@@ -1,11 +1,10 @@
-from datetime import datetime, timedelta
+from datetime import timedelta
 from json import dumps
 
 from panther_base_helpers import deep_get, slack_alert_context
 from panther_detection_helpers.caching import (
     get_string_set,
     put_string_set,
-    set_key_expiration,
 )
 
 DENIAL_OF_SERVICE_ACTIONS = [
@@ -55,6 +54,5 @@ def store_reset_info(key, event):
                 }
             )
         ],
+        epoch_seconds=event.event_time_epoch() + timedelta(days=1).total_seconds(),
     )
-    # Expire the entry after 24 hours
-    set_key_expiration(key, int((datetime.now() + timedelta(days=1)).timestamp()))
diff --git a/rules/slack_rules/slack_application_dos.yml b/rules/slack_rules/slack_application_dos.yml
index e7a9ef6f4..283ca2fd5 100644
--- a/rules/slack_rules/slack_application_dos.yml
+++ b/rules/slack_rules/slack_application_dos.yml
@@ -25,8 +25,6 @@ Tests:
         returnValue: ""
       - objectName: put_string_set
         returnValue: ""
-      - objectName: set_key_expiration
-        returnValue: ""
     Log:
       {
         "action": "user_session_reset_by_admin",
@@ -58,8 +56,6 @@ Tests:
         returnValue: "{\"time\":\"2021-06-08 22:24:43\"}"
       - objectName: put_string_set
         returnValue: ""
-      - objectName: set_key_expiration
-        returnValue: ""
     Log:
       {
         "action": "user_session_reset_by_admin",