![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 10%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Sentinel
A cloud-native SIEM solution that provides intelligent security analytics and threat detection across systems
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 20%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
I am not sure of the specific cause, but this is not a common practice, though technically feasible. I suspect this will clear up in 12-24 hours. You may need to open a support case if this runs longer.
It may help to consider how this feature functions. The TI view only displays the most recent, unique, active records from the table. Each IOC is given and ID. Any updates are represented as a new record. For example, when a record expires, a new record is written with an inactive flag for the IOC. I assume what you see in the portal is not a direct query. Likely a hidden sub-table that is updated periodically. The purge may have caused an unexpected interruption to this process.
