Detections will automatically change their state to inactive after set periods of time. The lifespan of the detection is algorithm and detection specific.
Hidden HTTPS Tunnels identified as Command and Control traffic have a maximum lifespan/age of 7 days. This is different from tunnels identified as ex-filtration data, which have a maximum lifespan/age of 30 days.
|Days to Inactive|
|CNC – Command and control||7 days|
|Botnet Monetization||7 days|
|Info (unscored)||30 days|
A campaign will close:
- If there have been no new detection events for 7 days or,
- All detections in the campaign are either triaged or marked as fixed.
Checks to the existing campaigns are one on an hourly basis. If all detections are marked as triaged/fixed it may take up to 1 hour to close the campaign.
Campaigns are never re-opened. New detection activity instead creates a new campaign with a new name. New campaigns with the same name as a previous campaign are suffixed with a number (e.g. domain-name.com-2). The number will increment as more campaigns with the name surface.
- Detections are stored in Cognito and searchable for 180 days.
- Triaged detections are deleted after 30 days.
- Hosts sessions expire after 60 days of inactivity
- Hosts without host sessions and without scores are automatically deleted.
- Scores expire after 180 days. Hosts attached to a detection will be deleted 180 days after the detection is inactive.
- Pcaps are deleted 180 days after they are created.