Hello,
Recently I've noticed that the threat source has disappeared 'rsa-firstwatch' and are left with only a threat desc of http://firstwat.ch/amgxxb or whatever it may be. In an attempt to filter through the noise, I tried to flag only on IOC's that provide a threat category and it seems as soon as you do this, you lose all firstwatch data feed information. Is there a reason that firstwatch isn't generating this meta or is there a meta I am missing?
can you check the REST interface of the feeds you are seeing as having reduced meta written for them ?
decoder/log decoder > explore > decoder > parsers > feeds > "feedname"
select the feed name you have subscribed to
you will see the feed details listed on the page
feed.callbacks are the metakeys that the feed matches on (primary key)
feed.meta are the metakeys that are written when a match is located with the feed.callbacks keys.
check the keys that you are seeing only the one meta value written and see if any of the feeds only have one metakey in the feed.meta entry.
I also have a script that can grab all the feeds that are subscribed to in an environment if you want to grab the details en masse for operational purposes or archiving.