After removing a SEPM or SEPM Groups from an SEDR Appliance, the appliance continues to generate Advanced Attack Technique (AAT) Incidents about those clients.

The Active Managed Endpoints database still contains an entity reference to those clients.

After a client is removed from an SEDR Appliance, the appliance may keep data about that client for several days. The SEDR Appliance may continue to get Incidents for these clients during that time.