TTL (Time-to-Live) refers to the amount of time a threat indicator remains within a threat feed. A threat indicator's default time to live can vary based on the type of threat from less than a day to up to a year.
Note
Default TTLs are assigned a value based on classification and property. The default TTL value is neither dependent on, nor uses Threat Class, Threat Level, Threat Confidence, or other data, when assigning a value.
Viewing Default TTLs
To view Default TTLs, perform the following:
- From the Cloud Services Portal, click Research > Resources.
- On the Resources page, click Default TTLs in the top menu. The following information is displayed:
- Class: The class of a given threat indicator in a threat feed. The Class column can be sorted in ascending or descending order by clicking on its column header.
- Property: The property of a given threat indicator in a threat feed. The Property column can be sorted in ascending or descending order by clicking on its column header.
- TTL: The Time-to-Live for a given threat indicator in the threat feed. The TTL column can be sorted in ascending or descending order by clicking on its column header.
The following table displays TTL values for threat indicator classes and properties.
| CLASS | PROPERTY | TTL |
|---|---|---|
| APT | 2 years | |
| Bot | 7 days | |
| Compromised Host | 30 days | |
| Cryptocurrency | 1 year | |
| Cryptocurrency | Cryptocurrency_Coinhive | 60 days |
| Cryptocurrency | Cryptocurrency_Cryptojacking | 60 days |
| Cryptocurrency | Cryptocurrency_Exchange | 60 days |
| Cryptocurrency | Cryptocurrency_Generic | 14 days |
| Cryptocurrency | Cryptocurrency_GenericThreat | 14 days |
| Cryptocurrency | Cryptocurrency_MiningPool | 60 days |
| DDoS | 12 hours | |
| DNS Tunnel | 30 days | |
| DNS Tunnel | DNSTunnel_Safe | 1 year |
| Exploit Kit | 30 days | |
| ICS | 30 days | |
| Illegal Content | 3 days | |
| Internet Infrastructure | 1 year | |
| Internet Infrastructure | InternetInfrastructure_CompromisedIOT | 6 months |
| Internet Infrastructure | InternetInfrastructure_UnsecuredIOT | 6 months |
| Limited Distro | 30 days | |
| Malicious Nameserver | 90 days | |
| MalwareC2 | 120 days | |
| MalwareC2 | MalwareC2_Gandcrab | 14 days |
| MalwareC2 | MalwareC2_Log4Shell | 60 days |
| MalwareC2 | MalwareC2_Lookalike | 120 days |
| MalwareC2DGA | 120 days | |
| Malware Download | 120 days | |
| Malware Download | 14 days | |
| Malware Download | MalwareDownload_TaurusProject | 60 days |
| Parked | 120 days | |
| Phishing | 120 days | |
| Phishing | Phishing_Lookalike | 120 days |
| Policy | Policy_IDNHomograph | 3 days |
| Policy | ||
| Policy | 1 year | |
| Policy | 1 year | |
| Proxy | 3 days | |
| Proxy | Proxy_DNST | 30 days |
| Scam | 14 days | |
| Scanner | 7 days | |
| Sinkhole | 1 year | |
| Sinkhole | 75 days | |
| Sinkhole | Sinkhole_Nameserver | |
| Sinkhole | Sinkhole_SinkholedHost | 175 days |
| Spambot | 5 days | |
| Suspicious | Suspicious_DGA | 120 days |
| Suspicious | Suspicious_Lookalike | 120 days |
| Suspicious | Suspicious_Registration | 120 days |
| Suspicious | 120 days | |
| Uncategorized Threat | 120 days | |
| Undefined | 1 day | |
| Unwanted Content | 120 days | |
| Web App Attack | 30 days | |
| Whitelist | 1 year |