SEDR creates Incidents for DAI Feed matches on Endpoints that are no longer managed
Article ID: 186076
Advanced Threat Protection PlatformEndpoint Detection and Response
The SEDR software utilizes the DAI (Dynamic Adversary Intelligence) feed to analyze the list of known File entity's SHA2 hashes to determine if there are known malicious files that exist in the environment. When a match is found, a High severity Incident is created which indicates a Suspected Breach. When reviewing the list of Endpoints in the Incident, you may find that one or more Endpoint's Entity pages come up as Null.
If the database is not purging quickly enough, a match may be found on an Endpoint that no longer exists. This may also be caused by issues in previous versions of SEDR or ATP which may cause the appliance to unenroll clients.
The DAI feed logic runs multiple times per day, so it is possible that matches will happen on Endpoints which no longer exist on the SEPM or the SEDR. Improvement have been made in SEDR 4.4 to make this purge happen more often and more efficiently.
If the Endpoints coming up Null are expected to be Enrolled, please review this document for further information: