We've got several threatlists running and I see that old threatlist information isn't properly cleaned. The max age is put on -1d but the data is still sometimes old and showing domains that have long been removed. How can you schedule a cleanup for this data?
I've done this but somehow it still shows up in notables.
In |inputlookup ip_intel I can't find the domain but it's still getting matched, even though there's a max age and the retention searches have been scheduled and executed. The correlation search is looking in the data model threat_actvity which looks at ip_intel so I don't understand how it's still matching.