Elastic Security Threat Match rule

lduvnjak · September 29, 2025, 11:41am

I have a couple of questions about how threat match rules work in Elasticsearch, which I feel the documentation does not cover very well.

The question is about the Custom query parameter, the frequency, and the additional lookback time.

What we care about is retroactive threat hunting. By default, Elasticsearch Security pre-built threat rules use a combination of 1 hour frequency and 5 minutes additional look-back time. The IoCs are filtered to only include those ingested in the last 30 days.

When you use a Custom Query `*:*` in this scenario, will it:
a. Match the documents since the last hour and 5 minutes to the last 30 days of IoCs
b. Match ALL of the documents specified by Index Pattern to the last 30 days of IoCs

lduvnjak · September 29, 2025, 1:32pm

I’ve found this, which would indicate that the default way Elastic threat rules work is they run each hour and match the indicators which appeared within the last 30 days to the last hour and 5 minutes of logs.
Can someone with more knowledge confirm this?

Topic		Replies	Views
Matching threat indicators to content in ELK Elasticsearch	2	1254	July 6, 2017
Matching threat intel to data in ELK Elasticsearch	3	1731	July 6, 2017
Signal SIEM Detections using log files SIEM	5	449	May 23, 2020
Match rule not working SIEM elastic-stack-alerting	7	678	April 8, 2021
Reducing the number of Alerts Logstash	3	556	July 6, 2017

Elastic Security Threat Match rule

Related topics