"This process has been tagged with the following reports: 
Report "X" from feed X 
. 
If not on the current page, the report(s) are either unavailable, or the tagged events are on another page."

• Carbon Black Response Console: All Versions

1. The console will continue to show the report was a hit on that process document for that report when it matched at ingress
2. Long running or large events may not enough event data on the first page. Selecting another page will read additional event data to match
3. If a feed with a query report matches a process document, a new process document is copied to Solr with the feed report information. Since the query does not specify which IOC is the match, the event cannot be tagged as the cause of the query report hit and display this message

• This was reported with the Crowdstrike feed
• A feed that is updated regularly with a large amount of reports can see the process and event data at ingress by the sensor, the process document contains an IOC that matches an IOC in that report and is tagged with that feed report
• When the feed is updated it no longer contains the IOC that the process document is tagged with originally
• The CB Response server does not store old versions of feeds
• The error message occurs as the API is requesting to re-match the IOC and it is not longer there
• In some cases the IOC doesn't exist on the current page per the error. The console API does not load all events of every process for performance reasons.