Detection and Campaign lifespan and retention periods


Detection lifespan

Detections will automatically change their state to inactive after set periods of time. The lifespan of the detection is algorithm and detection specific.


Hidden HTTPS Tunnels identified as Command and Control traffic have a maximum lifespan/age of 7 days.  This is different from tunnels identified as ex-filtration data, which have a maximum lifespan/age of 30 days.

  Days to Inactive
CNC – Command and control 7 days 
Botnet Monetization 7  days
Lateral 15-30 days
Ex-filtration 15-30 days 
Recon 30 days
Info (unscored) 30 days

Campaign lifespan

A campaign will close:

  • If there have been no new detection events for 7 days or,
  • All detections in the campaign are either triaged or marked as fixed.

Checks to the existing campaigns are one on an hourly basis. If all detections are marked as triaged/fixed it may take up to 1 hour to close the campaign.

Campaigns are never re-opened.  New detection activity instead creates a new campaign with a new name.  New campaigns with the same name as a previous campaign are suffixed with a number (e.g. The number will increment as more campaigns with the name surface.

Retention Periods

  • Detections are stored in Cognito and searchable for 180 days.
  • Triaged detections are deleted after 30 days.
  • Hosts sessions expire after 60 days of inactivity
  • Hosts without host sessions and without scores are automatically deleted.
  • Scores expire after 180 days. Hosts attached to a detection will be deleted 180 days after the detection is inactive.
  • Pcaps are deleted 180 days after they are created.
Was this article helpful?
2 out of 2 found this helpful

Download PDF


Article is closed for comments.