Inactive Data#

This feature must be enabled in EclecticIQ Labs before use.

Inactive data management automatically identifies and marks threat intelligence entities that are no longer relevant based on their age and validity period. This helps you focus on current, actionable threats while maintaining access to historical data when needed.

When entities become inactive#

Each entity in the platform has a Half-life calculated using a half-life formula. This value decreases over time as the threat intelligence ages, reflecting its diminishing relevance to current security operations.

An entity is automatically flagged as inactive when either of these conditions is met:

  • Half-life drops below 1%, or

  • Expired validity: The threat end time (defined in the STIX entity) has passed.

Viewing inactive entities#

Entity detail pane#

When viewing an entity’s details, you’ll see an “Inactive” label displayed next to the half-life value in the Estimated time section. This label appears when the entity meets the inactivity criteria.

Searching and filtering#

By default, search results hide inactive entities to help you focus on current threats.

To view inactive entities:

  1. Navigate to the search interface.

  2. Toggle the “Show inactive Entities” filter.

  3. Search results will now include both active and inactive entities.

Exporting inactive entity data#

When configuring outgoing data feeds, you have three options for handling inactive entities using the Relevancy threshold (%) setting in the outgoing feed configuration:

Export all data (active + inactive)#

To export all entities regardless of their status:

  1. Select Custom Threshold

  2. Set the threshold to 0%

This exports every entity in the platform, including those with any relevancy score or expired validity.

Export only active data#

To export only active data:

  1. Select Custom Threshold

  2. Set the threshold to any value above 1% (for example, 5%, 10%, or 50%)

This exports only entities with relevancy scores at or above your specified threshold. Inactive entities (below 1%) are automatically excluded.

Export only inactive data#

To export historical or expired threat intelligence, select Less than 1% (Inactive Entities).

This exports only entities flagged as inactive (relevancy < 1% OR expired threat end time). Useful for archival purposes, compliance requirements, or historical analysis.