Lifecycle
When SENTINEL first saw this infrastructure, when public sources caught up, and when it went dark. The shaded span is our lead time.
Public confirmations
Public threat-intel sources that subsequently listed this indicator. Lead time is days between SENTINEL first-observed and that source's published date.
| Source | Published | Lead time | Reference |
|---|---|---|---|
| No public source has caught up yet. | |||
Classification
Decay
How actionable this indicator is now. IoCs decay at type-specific rates (Pyramid of Pain); a fresh sighting resets the score.
Methodology. An indicator opens at a base score (set by confidence) and decays over a lifetime fixed by its type — IP 3d, URL 5d, domain 7d, file hash 21d, certificate 120d. Per the Pyramid of Pain, the harder an artefact is for an adversary to change, the longer it stays actionable. Score = base × (1 − (age / lifetime)1/speed), decay speed 2.6. Every fresh sighting in any source resets age to zero and the score back to base; once age reaches the lifetime the score is 0 and the indicator is expired and purged from active detection.