When viewing the process analysis page of a process tagged with a threat report, the following message is presented under the Alliance Feeds section:

The process has been tagged with the following reports: Report "$report_name_here" from feed $feed_name_here.

If not on the current page, the report(s) are either unavailable, or the tagged events are on another page.

• EDR Server: All Supported Versions

If the tagged events are not on another page, the feed owner has updated the feed by removing the IOC from the threat report.

As IOC's are removed from threat reports, the process events that display the IOC data are no longer able to query the database for the information since it no longer exists. This is working as designed.

• This behavior will appear more often for feeds that are frequently updated. What is happening here, and this is standard operating behavior, is that on ingress of the process and event data by the sensor, the process document (event) contains an IOC that matches an IOC in the report and therefor is being tagged with the feed report. However, when the feed is updated, and since we do not store old versions of the feed, the new feed report no longer contains the IOCs that tagged the process document when it was originally added. Since we store that the hit occurred but not which event caused the hits, we re-match the IOCs when processing the API request and if the IOC is no longer there, the API call cannot match it. For this reason, there is a scenario in which you do not see any marked events in the UI even though it still indicates that the process document (event) was tagged by the feed report.